Re: [dnsext] draft-mohan-dns-query-xml-00.txt

[Brian Dickson <brian.peter.dickson@gmail.com>]

On Tue, Oct 4, 2011 at 5:39 PM, Michael Sheldon <msheldon@godaddy.com> wrote:
> That said, I haven't seen any compelling reason to support a protocol
> change that seems solely for the purpose of fixing other people's
> network mis-configurations.

There are subtleties in the unintended consequences of messing with DNS.

By "messing with", I refer to ISPs doing arbitrary stuff, including
but not limited to NXDOMAIN or other forms of DNS hijacking.

Blocking the DNSSEC portion of DNS responses, either deliberately or
by lack of support, is another form of "messing with", and may also be
used to hide the other (deliberate) activity.

When DNSSEC stuff is blocked, not only does it reduce the trust in the
answers, it re-opens the window of vulnerability that DNSSEC was meant
to close. Not good.

Widespread blocking of DNSSEC threatens the adoption and utility of DNSSEC.

However ugly it might be, DNSSEC is important enough to warrant
considering counter-counter-measures.

This proposal is a very lightweight and elegant (IMHO)
counter-counter-measure. It makes valid answers from either authority
servers (if client == recursive server) or resolvers (if client ==
stub) possible to (a) get directly, and (b) trust and/or verify. In
many use cases, there is no alternative, particularly when there is a
local market monopoly or duopoly of such "bad actors".

Even if you don't use DNSSEC, please don't stop others from using it
or from making it possible to achieve widespread usage.

And I gently encourage use of DNSSEC by any and all -- especially when
your domain is your primary (sole?) source of revenue. (BTW - I am a
happy customer, FWIW. But I'd be happier if you used DNSSEC.)

Brian

P.S. Note also, that mis-configurations are often deliberate,
especially when performed by the state. This proposal at least makes
feasible, the unblocking of state-sponsored censorship at the DNS
level.