Re: [Add] some background on split DNS with DNSSEC
Eliot Lear <lear@lear.ch> Tue, 09 November 2021 16:27 UTC
Return-Path: <lear@lear.ch>
X-Original-To: add@ietfa.amsl.com
Delivered-To: add@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 327393A0C75 for <add@ietfa.amsl.com>; Tue, 9 Nov 2021 08:27:35 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.42
X-Spam-Level:
X-Spam-Status: No, score=-5.42 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, NICE_REPLY_A=-3.33, SPF_PASS=-0.001, T_SPF_HELO_PERMERROR=0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=lear.ch
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jdJe9d3cISwd for <add@ietfa.amsl.com>; Tue, 9 Nov 2021 08:27:29 -0800 (PST)
Received: from upstairs.ofcourseimright.com (upstairs.ofcourseimright.com [185.32.222.29]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2F2E73A0C71 for <add@ietf.org>; Tue, 9 Nov 2021 08:27:28 -0800 (PST)
Received: from [192.168.0.132] (77-58-147-26.dclient.hispeed.ch [77.58.147.26]) (authenticated bits=0) by upstairs.ofcourseimright.com (8.15.2/8.15.2/Debian-18) with ESMTPSA id 1A9GROc92083767 (version=TLSv1.3 cipher=TLS_AES_128_GCM_SHA256 bits=128 verify=NO); Tue, 9 Nov 2021 17:27:25 +0100
Authentication-Results: upstairs.ofcourseimright.com; dmarc=none (p=none dis=none) header.from=lear.ch
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=lear.ch; s=upstairs; t=1636475245; bh=Jc/mxw13WxvPaJseh3HwY/B8Z90s6UMSdcJnaz2Tmgc=; h=Date:Subject:To:Cc:References:From:In-Reply-To:From; b=HgAn8jdZwDuAUyTYZ97HPz1fBf61r1jG23YFkVLqoCW02iHl4SPPux1ByseGQIki4 PbGoSKTz4OU9oFC18mf++K8DgO0rfrmg5HehObft+KyjsHzIMfio+6dTGQB+3pZaC1 7JrjPYBSXCpZ3ujZ1gAnhJmUnTu6udqyzxk9wARs=
Message-ID: <c4c6b8a1-06f4-e628-b5f4-3aa1ccf9a25a@lear.ch>
Date: Tue, 09 Nov 2021 17:27:24 +0100
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:91.0) Gecko/20100101 Thunderbird/91.3.0
Content-Language: en-US
To: Bill Woodcock <woody@pch.net>
Cc: add@ietf.org, Ted Lemon <mellon@fugue.com>
References: <yblk0hio8pu.fsf@w7.hardakers.net> <28611.1636465525@localhost> <3692CFBF-4D06-4960-9F7C-347A58D2D0A0@apple.com> <aea95242-4e80-e4cb-b5bb-da34105e7ed1@lear.ch> <CAPt1N1kGs851Q_BMq1NDzm80xHbrKLJWwt1JzAmZAtafXeoqPg@mail.gmail.com> <BF4069C2-225D-4BA6-97FC-5CB6B09DA657@pch.net> <b0527e86-9636-1d80-c2cf-526c6b050b90@lear.ch> <418D9CE4-6134-447A-A863-F028C325E4FF@pch.net> <b49bbf0f-dd8f-5592-de8e-96ffd87127bb@lear.ch> <8315C730-CFC2-4BBA-8909-1DD4AEC97352@pch.net> <47958af2-8da7-1c71-bb94-28e4067d54c2@lear.ch> <48763BE7-0E72-4A03-A63A-1A63E7E21AC3@pch.net>
From: Eliot Lear <lear@lear.ch>
In-Reply-To: <48763BE7-0E72-4A03-A63A-1A63E7E21AC3@pch.net>
Content-Type: multipart/signed; micalg="pgp-sha256"; protocol="application/pgp-signature"; boundary="------------BZb2rRV3xmP0pwCP6fInfbLr"
Archived-At: <https://mailarchive.ietf.org/arch/msg/add/qXv5zMmkZRziZkamsvyUfKzkK4I>
Subject: Re: [Add] some background on split DNS with DNSSEC
X-BeenThere: add@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Applications Doing DNS <add.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/add>, <mailto:add-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/add/>
List-Post: <mailto:add@ietf.org>
List-Help: <mailto:add-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/add>, <mailto:add-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 09 Nov 2021 16:27:35 -0000
Bill: On 09.11.21 17:13, Bill Woodcock wrote: > If what you’re saying is that when we depend upon tools to cover fragile or overly-complicated things with abstraction layers to “solve the problem” that we’re actually adding complexity and fragility, and that that’s a bad idea (“when you’re in a hole, stop digging”), then yes, I agree with that as well. > > The biggest problem I see with standards development now is the desire to solve many problems within single monolithic protocols, rather than making small, simple, easily-comprehended modular building blocks that can be put together in different ways to solve different problems. While I don't disagree with what you say, what I'm saying is that DNSSEC has had PLENTY of time to diffuse and hasn't done so. In fact, I would argue that new new impediments have shown up that lend themselves to centralization, which is the risk of amplification attacks that have led secondary services to charge extra. And my admittedly snide initial comment was meant to convey that we ought to think of taking another look at naming and security that accommodates mechanisms like split views, rather than simply says, “Those are bad!” Eliot
- [Add] some background on split DNS with DNSSEC Wes Hardaker
- Re: [Add] some background on split DNS with DNSSEC Michael Richardson
- Re: [Add] some background on split DNS with DNSSEC Ben Schwartz
- Re: [Add] some background on split DNS with DNSSEC Joe Abley
- Re: [Add] some background on split DNS with DNSSEC Tommy Pauly
- Re: [Add] some background on split DNS with DNSSEC Bill Woodcock
- Re: [Add] some background on split DNS with DNSSEC Eliot Lear
- Re: [Add] some background on split DNS with DNSSEC Ted Lemon
- Re: [Add] some background on split DNS with DNSSEC Bill Woodcock
- Re: [Add] some background on split DNS with DNSSEC Eliot Lear
- Re: [Add] some background on split DNS with DNSSEC Bill Woodcock
- [Add] Why so complex? (was Re: some background on… Martin Thomson
- Re: [Add] some background on split DNS with DNSSEC Eliot Lear
- Re: [Add] some background on split DNS with DNSSEC Bill Woodcock
- Re: [Add] some background on split DNS with DNSSEC Jim Reid
- Re: [Add] some background on split DNS with DNSSEC Eliot Lear
- Re: [Add] some background on split DNS with DNSSEC Bill Woodcock
- Re: [Add] some background on split DNS with DNSSEC Eliot Lear
- Re: [Add] Why so complex? (was Re: some backgroun… Paul Wouters
- Re: [Add] some background on split DNS with DNSSEC Paul Wouters
- Re: [Add] some background on split DNS with DNSSEC Joe Abley
- Re: [Add] some background on split DNS with DNSSEC Deen, Glenn
- Re: [Add] some background on split DNS with DNSSEC Deen, Glenn
- Re: [Add] some background on split DNS with DNSSEC Paul Wouters
- Re: [Add] some background on split DNS with DNSSEC tirumal reddy
- Re: [Add] some background on split DNS with DNSSEC tirumal reddy
- Re: [Add] some background on split DNS with DNSSEC tirumal reddy
- Re: [Add] some background on split DNS with DNSSEC Dan Wing
- Re: [Add] some background on split DNS with DNSSEC Dan Wing
- Re: [Add] some background on split DNS with DNSSEC Wes Hardaker
- Re: [Add] Why so complex? (was Re: some backgroun… Ben Schwartz
- Re: [Add] some background on split DNS with DNSSEC Joe Abley
- Re: [Add] some background on split DNS with DNSSEC Ben Schwartz
- Re: [Add] some background on split DNS with DNSSEC Michael Richardson
- Re: [Add] some background on split DNS with DNSSEC Michael Richardson
- Re: [Add] some background on split DNS with DNSSEC Bill Woodcock
- Re: [Add] Why so complex? (was Re: some backgroun… Bill Woodcock
- Re: [Add] some background on split DNS with DNSSEC tirumal reddy
- Re: [Add] Why so complex? (was Re: some backgroun… Martin Thomson
- Re: [Add] some background on split DNS with DNSSEC Ted Hardie
- Re: [Add] some background on split DNS with DNSSEC Ben Schwartz
- Re: [Add] some background on split DNS with DNSSEC tirumal reddy
- Re: [Add] some background on split DNS with DNSSEC Ben Schwartz
- Re: [Add] some background on split DNS with DNSSEC tirumal reddy