Re: [Danish] Proposed WG Charter

Shumon Huque <shuque@gmail.com> Tue, 15 June 2021 01:00 UTC

Return-Path: <shuque@gmail.com>
X-Original-To: danish@ietfa.amsl.com
Delivered-To: danish@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D4E063A166D for <danish@ietfa.amsl.com>; Mon, 14 Jun 2021 18:00:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qN1JCaomnSRE for <danish@ietfa.amsl.com>; Mon, 14 Jun 2021 18:00:03 -0700 (PDT)
Received: from mail-ed1-x52a.google.com (mail-ed1-x52a.google.com [IPv6:2a00:1450:4864:20::52a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 53D873A166C for <danish@ietf.org>; Mon, 14 Jun 2021 18:00:03 -0700 (PDT)
Received: by mail-ed1-x52a.google.com with SMTP id ba2so47051352edb.2 for <danish@ietf.org>; Mon, 14 Jun 2021 18:00:03 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to; bh=7yWpK5IlUqo69/yw0fXzhPUsUs5rDHFXupAlmwEsCK8=; b=RyfT1XuVFyfTvm8ygw7lTNrD+ABNCXQ4AeXPqJgc6IzZVFobMmPMMn6+hjUAJ3Yav5 ZV67s6e1iMMiEI9tWej/upKb0+LazmK1hFYtpNpHOT0rpmT9uvfb+Ovzu04CRkIzxUH7 XlkyKnIHNXDnT12GJe4R1MCAEHVGLdapzKsw52HkQ0RwMh7By2bkEKADxmTi1vu8+wg6 3FSjIEha3Ab/UeanJnlGjaM2hgYt9LtTUO5qNaUC6sQDPlE9ym3Ts+GxcY9TMQEkGMzn lv0d1uoQK8cWyWV8rd4QcIZ8G9nm2sNtwhqBjZZXDgQmsDz1r38oK6MyiaOucnRwGCPg vEkQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to; bh=7yWpK5IlUqo69/yw0fXzhPUsUs5rDHFXupAlmwEsCK8=; b=HC4sedgdn+W54otuZijqy5/jGaHls1Llopt4TU4MHVlV078Ywq9r6zlLibX2OW2emg FaRkvnCjGCuxNR84h0DMcCo2QlTowckOcL8yMAOrgV1allUOOYHRhgcFLvfP51OKFWlf tqsJWhAsO67xtTvIXh1Kq41NzZaFvD08I/2BbAgOj3+GQ02/JnK/2g5TnWIZ4DwNTLZW YTZsX9lzgly4Hj9UZQWXTmC6dtxSRwYSwjyMesCEIEOCO2SjG8HWu/4OtxJhRE5Jx0Vm HzBerGb9aWjJhD4rIeN8yCVmNOZ3JSnW8sdsf7D1WGxeBr9KTiCifOQrmVn6rMH4S/K8 tX7Q==
X-Gm-Message-State: AOAM532NlQUK6sxeFyDXR6wbMtARVVDbG6/CzfRXNlrFFOp9bqg6cnTJ eMe88nzDvbfFQ33yV6f+U0cJnfOwCedTYXm37H8FClWx
X-Google-Smtp-Source: ABdhPJxCcuWevkz2SRUuA3psmN5yGjqks6IdcHKT4rMMfYm30pU2JXqVor2xRz78v9G5KiGRrjOWfNB7r+nDRzvpfHs=
X-Received: by 2002:aa7:d602:: with SMTP id c2mr20264278edr.317.1623718796252; Mon, 14 Jun 2021 17:59:56 -0700 (PDT)
MIME-Version: 1.0
References: <CAEfM=vRA4P7As25Krc64Q5QTEuQZidpmzWgXWivOxOm8x-9ZAw@mail.gmail.com> <YMZwG/l/pne2tHJF@straasha.imrryr.org> <4978.1623625466@localhost> <A0ECC05F-14D3-4370-B3CF-B27DCE94F613@vpnc.org> <CAEfM=vRO6MuirYSBnD+1UeAjKycaPXaJBSrmmRUB5y9x_fX_oQ@mail.gmail.com> <YMftxgW6NhcKfhZV@straasha.imrryr.org>
In-Reply-To: <YMftxgW6NhcKfhZV@straasha.imrryr.org>
From: Shumon Huque <shuque@gmail.com>
Date: Mon, 14 Jun 2021 20:59:45 -0400
Message-ID: <CAHPuVdVA40xVt49C5vjz=30fYkj1EUHAQrw2X5F9mrEt6_=bTA@mail.gmail.com>
To: danish@ietf.org
Content-Type: multipart/alternative; boundary="00000000000010d84e05c4c37e5c"
Archived-At: <https://mailarchive.ietf.org/arch/msg/danish/nxtCRco_jF-Ekb88xB9By-QAsDw>
Subject: Re: [Danish] Proposed WG Charter
X-BeenThere: danish@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <danish.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/danish>, <mailto:danish-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/danish/>
List-Post: <mailto:danish@ietf.org>
List-Help: <mailto:danish-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/danish>, <mailto:danish-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 15 Jun 2021 01:00:08 -0000

On Mon, Jun 14, 2021 at 8:01 PM Viktor Dukhovni <ietf-dane@dukhovni.org>
wrote:

> On Mon, Jun 14, 2021 at 02:26:50PM -0700, Ash Wilson wrote:
>
> > > If the charter of this WG is to sink DNSSEC, that needs to be stated
> > > explicitly in the charter, and then say why this work should not be in
> > > other PKI-based WGs.
> >
> > This charter proposes the creation of an easier adoption path for
> > DNS-based identities, which includes DNSSEC. I don't think anyone here
> > wants to sink DNSSEC.
>
> Well, but it sends a needlessly discouraging message, many of the
> purported difficulties with signing authoritative DNSSEC zones are
> anecdotal and outdated.  Yes, not all registrars support DNSSEC equally
> well, but there are many registrars to choose from, vote with your feet
> and $$.  Almost 15.2 million domains are already signed, the time has
> come to stop working around the right way to securely publish data in
> DNS.
>
> Piling on work-arounds does in fact hinder DNSSEC adoption, and we
> should seriously consider putting an end to this.
>

The BoF proponents have no desire to sink DNSSEC. It's the opposite
in fact, but we also want to provide interim mechanisms for environments
that don't have DNSSEC yet.

I can also say from personal experience that deploying DNSSEC in
a large complex enterprise remains extremely challenging. Some of the
largest commercial DNS providers in the world have had constant
challenges handling the scale of my employer's signed DNS (ask me
offline sometime and I'll spill the beans). And just a few weeks ago, I
found another critical DNSSEC bug in one of the major open source
DNS implementations.

Shumon.