IETF Logo Mail Archive

Re: [Add] some background on split DNS with DNSSEC

Bill Woodcock <woody@pch.net> Tue, 09 November 2021 15:39 UTC

Return-Path: <woody@pch.net>
X-Original-To: add@ietfa.amsl.com
Delivered-To: add@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CDDAD3A0805 for <add@ietfa.amsl.com>; Tue, 9 Nov 2021 07:39:22 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PIKURt-KGnRH for <add@ietfa.amsl.com>; Tue, 9 Nov 2021 07:39:19 -0800 (PST)
Received: from mail.pch.net (keriomail.pch.net [206.220.231.84]) (using TLSv1.1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D92393A0AEE for <add@ietf.org>; Tue, 9 Nov 2021 07:39:10 -0800 (PST)
X-Footer: cGNoLm5ldA==
Received: from smtpclient.apple ([69.166.14.6]) by mail.pch.net (Kerio Connect 9.2.7 patch 3) with ESMTPS (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256 bits)); Tue, 9 Nov 2021 07:39:08 -0800
From: Bill Woodcock <woody@pch.net>
Message-Id: <8315C730-CFC2-4BBA-8909-1DD4AEC97352@pch.net>
Content-Type: multipart/signed; boundary="Apple-Mail=_4E3A353F-B64D-461E-B652-E9DEE936BEBC"; protocol="application/pgp-signature"; micalg="pgp-sha256"
Mime-Version: 1.0 (Mac OS X Mail 14.0 \(3654.120.0.1.13\))
Date: Tue, 09 Nov 2021 16:39:03 +0100
In-Reply-To: <b49bbf0f-dd8f-5592-de8e-96ffd87127bb@lear.ch>
Cc: add@ietf.org, Ted Lemon <mellon@fugue.com>
To: Eliot Lear <lear@lear.ch>
References: <yblk0hio8pu.fsf@w7.hardakers.net> <28611.1636465525@localhost> <3692CFBF-4D06-4960-9F7C-347A58D2D0A0@apple.com> <aea95242-4e80-e4cb-b5bb-da34105e7ed1@lear.ch> <CAPt1N1kGs851Q_BMq1NDzm80xHbrKLJWwt1JzAmZAtafXeoqPg@mail.gmail.com> <BF4069C2-225D-4BA6-97FC-5CB6B09DA657@pch.net> <b0527e86-9636-1d80-c2cf-526c6b050b90@lear.ch> <418D9CE4-6134-447A-A863-F028C325E4FF@pch.net> <b49bbf0f-dd8f-5592-de8e-96ffd87127bb@lear.ch>
X-Mailer: Apple Mail (2.3654.120.0.1.13)
Archived-At: <https://mailarchive.ietf.org/arch/msg/add/KIByAfAP7PT0l-BPV0Fy69YQayc>
Subject: Re: [Add] some background on split DNS with DNSSEC
X-BeenThere: add@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Applications Doing DNS <add.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/add>, <mailto:add-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/add/>
List-Post: <mailto:add@ietf.org>
List-Help: <mailto:add-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/add>, <mailto:add-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 09 Nov 2021 15:39:23 -0000


> On Nov 9, 2021, at 4:29 PM, Eliot Lear <lear@lear.ch> wrote:
> On 09.11.21 16:23, Bill Woodcock wrote:
>> If you’re operating a split view, there’s a degree of complexity involved in managing the separation after the split (or, more likely, you just have two different sources of authority, but it comes to the same thing).  If you’re DNSSEC signing, you’ve got a process for that, and you’re running zones through it.  Both are complex processes, but neither makes the other more complex than it would have been otherwise, that I can see...
> 
> But Bill, you have to decide in your mind if that complexity is additive or worse.  My own experience is worse because the tools integration is SOMETIMES lacking.  We can say that this is a point of differentiation for vendors, but I think any time we say that what we've just said is that it's a hard problem.

The split-view problem is in the doctor-it-hurts-when-I-do-this category.  The DNSSEC problem is in the “damn, I sure wish this were all a little simpler and more obvious/self-explanatory and the tools were a little better” category.  I don’t (intentionally, anyway) do the former.  I cope with the latter.  So I can’t personally say that it’s worse than additive, but my intuition said just additive.  Which isn’t a strong argument, obviously.

I think there’s a very good argument in favor of better tools and better education around DNSSEC.  I think the train has pretty well left the station in terms of redesigning it to be simpler.  But, anyway, I think there’s definitely room for improvement with DNSSEC.

I think split-horizon is conceptually simple, but just creates an inherently fragile situation, in which it’s easy to have unintended consequences.

While I’d like DNSSEC to be ubiquitous, and I recognize that split-horizon isn’t going away any time soon, I’m not sure that it’s worth putting effort into making that particular combination easier, when effort could be applied to making DNSSEC easier, and it would benefit both the people who are doing split horizon, and everyone else.

                                -Bill

v2.23.0 | Report a Bug | By Email