IETF Logo Mail Archive

Re: [Add] some background on split DNS with DNSSEC

Eliot Lear <lear@lear.ch> Tue, 09 November 2021 16:27 UTC

Return-Path: <lear@lear.ch>
X-Original-To: add@ietfa.amsl.com
Delivered-To: add@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 327393A0C75 for <add@ietfa.amsl.com>; Tue, 9 Nov 2021 08:27:35 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.42
X-Spam-Level:
X-Spam-Status: No, score=-5.42 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, NICE_REPLY_A=-3.33, SPF_PASS=-0.001, T_SPF_HELO_PERMERROR=0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=lear.ch
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jdJe9d3cISwd for <add@ietfa.amsl.com>; Tue, 9 Nov 2021 08:27:29 -0800 (PST)
Received: from upstairs.ofcourseimright.com (upstairs.ofcourseimright.com [185.32.222.29]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2F2E73A0C71 for <add@ietf.org>; Tue, 9 Nov 2021 08:27:28 -0800 (PST)
Received: from [192.168.0.132] (77-58-147-26.dclient.hispeed.ch [77.58.147.26]) (authenticated bits=0) by upstairs.ofcourseimright.com (8.15.2/8.15.2/Debian-18) with ESMTPSA id 1A9GROc92083767 (version=TLSv1.3 cipher=TLS_AES_128_GCM_SHA256 bits=128 verify=NO); Tue, 9 Nov 2021 17:27:25 +0100
Authentication-Results: upstairs.ofcourseimright.com; dmarc=none (p=none dis=none) header.from=lear.ch
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=lear.ch; s=upstairs; t=1636475245; bh=Jc/mxw13WxvPaJseh3HwY/B8Z90s6UMSdcJnaz2Tmgc=; h=Date:Subject:To:Cc:References:From:In-Reply-To:From; b=HgAn8jdZwDuAUyTYZ97HPz1fBf61r1jG23YFkVLqoCW02iHl4SPPux1ByseGQIki4 PbGoSKTz4OU9oFC18mf++K8DgO0rfrmg5HehObft+KyjsHzIMfio+6dTGQB+3pZaC1 7JrjPYBSXCpZ3ujZ1gAnhJmUnTu6udqyzxk9wARs=
Message-ID: <c4c6b8a1-06f4-e628-b5f4-3aa1ccf9a25a@lear.ch>
Date: Tue, 09 Nov 2021 17:27:24 +0100
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:91.0) Gecko/20100101 Thunderbird/91.3.0
Content-Language: en-US
To: Bill Woodcock <woody@pch.net>
Cc: add@ietf.org, Ted Lemon <mellon@fugue.com>
References: <yblk0hio8pu.fsf@w7.hardakers.net> <28611.1636465525@localhost> <3692CFBF-4D06-4960-9F7C-347A58D2D0A0@apple.com> <aea95242-4e80-e4cb-b5bb-da34105e7ed1@lear.ch> <CAPt1N1kGs851Q_BMq1NDzm80xHbrKLJWwt1JzAmZAtafXeoqPg@mail.gmail.com> <BF4069C2-225D-4BA6-97FC-5CB6B09DA657@pch.net> <b0527e86-9636-1d80-c2cf-526c6b050b90@lear.ch> <418D9CE4-6134-447A-A863-F028C325E4FF@pch.net> <b49bbf0f-dd8f-5592-de8e-96ffd87127bb@lear.ch> <8315C730-CFC2-4BBA-8909-1DD4AEC97352@pch.net> <47958af2-8da7-1c71-bb94-28e4067d54c2@lear.ch> <48763BE7-0E72-4A03-A63A-1A63E7E21AC3@pch.net>
From: Eliot Lear <lear@lear.ch>
In-Reply-To: <48763BE7-0E72-4A03-A63A-1A63E7E21AC3@pch.net>
Content-Type: multipart/signed; micalg="pgp-sha256"; protocol="application/pgp-signature"; boundary="------------BZb2rRV3xmP0pwCP6fInfbLr"
Archived-At: <https://mailarchive.ietf.org/arch/msg/add/qXv5zMmkZRziZkamsvyUfKzkK4I>
Subject: Re: [Add] some background on split DNS with DNSSEC
X-BeenThere: add@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Applications Doing DNS <add.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/add>, <mailto:add-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/add/>
List-Post: <mailto:add@ietf.org>
List-Help: <mailto:add-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/add>, <mailto:add-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 09 Nov 2021 16:27:35 -0000

Bill:

On 09.11.21 17:13, Bill Woodcock wrote:
> If what you’re saying is that when we depend upon tools to cover fragile or overly-complicated things with abstraction layers to “solve the problem” that we’re actually adding complexity and fragility, and that that’s a bad idea (“when you’re in a hole, stop digging”), then yes, I agree with that as well.
>
> The biggest problem I see with standards development now is the desire to solve many problems within single monolithic protocols, rather than making small, simple, easily-comprehended modular building blocks that can be put together in different ways to solve different problems.

While I don't disagree with what you say, what I'm saying is that DNSSEC 
has had PLENTY of time to diffuse and hasn't done so.  In fact, I would 
argue that new new impediments have shown up that lend themselves to 
centralization, which is the risk of amplification attacks that have led 
secondary services to charge extra.

And my admittedly snide initial comment was meant to convey that we 
ought to think of taking another look at naming and security that 
accommodates mechanisms like split views, rather than simply says, 
“Those are bad!”

Eliot

v2.23.0 | Report a Bug | By Email