Re: [DNSOP] [dns-operations] dnsop-any-notimp violates the DNS standards

[Morizot Timothy S <Timothy.S.Morizot@irs.gov>]

From: Paul Vixie



ultimately what matters is whatever works. if cloudflare decides to stop answering QTYPE=ANY then it would take all million or so qmail customers complaining to cloudflare's NOC to get cloudflare to change its mind. i don't think that's going to happen, for a number of reasons, one of which is that the corner case qmail is depending on was a bad idea originally and has gotten nothing but worse since then. but let's run the experiment, shall we?



[snip]



DNSSEC is a colossal flop, but not a mistake. It's an embarrassment, but we'd do it all again if we had to. It's late -- it was started years before the IPv6 effort but is (believe it if you can) even less finished and less deployed than IPv6. It's ugly and complicated and if we knew then what we know now we'd've scrapped DNS itself and started from scratch just to avoid the compromises we've made. But we didn't know then, etc., and what we have to do now is avert our gaze and fully deploy this ugly embarrassing thing.



I agree that what works will ultimately win the day. Cloudflare can do what it wants and if it only breaks qmail's unusual implementation they may decide they are fine with the results. That's a process independent of operational recommendations or policy work. Nor do I see that either will ultimately impact the outcome.



Many of the discussions about DNSSEC tend to focus on who has or hasn't signed their authoritative zones and people tend to point to a low percentage of signed zones as some sort of failure in the deployment of the protocol. (I'm not sure I've seen an analysis that attempts to determine how many of  those unsigned zones are basically just parked domains, but that's a side issue.) But signing is only part of the story and for those of us who have signed our zones, not the most important part. For instance, the statistic I monitor and care the most about is this one:



http://stats.labs.apnic.net/dnssec/US



It's been steadily increasing for years now and gives me an idea what percentage of the US public is protected against certain types of attacks involving our zones. DNSSEC validation is not a panacea, but in a layered approach toward combating fraud and certain sorts of attacks, it does provide a particular sort of protection not available through any other means. Whether or not ISPs sign their authoritative zones matters much less to us than whether or not they implement DNSSEC validation on their recursive nameservers. And that's not a failure at all. By the measure above (which isn't perfect, but the best one available) roughly a fifth to a quarter of the US public, the primary consumers of our zones, exclusively use validating nameservers. That's significant. Would I like to see it higher? Sure. But I'll take it.



Enabling validation supports everyone who cares enough about their zones to sign them, whatever percentage of the total authoritative namespace that might be. Signing authoritative DNS is a decision each organization must make for themselves. I would encourage it, but that's something the organization must weigh. Enabling validation is a public good and much less problematic. And the concerns that have led to the need for negative trust anchors during early deployment mostly go away once most nameservers validate. Then if an organization breaks their authoritative DNS through a DNSSEC error, it breaks for most people instead of just ones with certain providers. It's an incomplete deployment of validation that's toxic and we'll see the most significant benefit from widespread validation. Yet when people talk about DNSSEC 'being broken' (a characterization with which I don't really agree), they mostly focus on the authoritative side.



Just a few thoughts spurred by the discussion.



Scott