RE: OFFTOPIC: DNSSEC groupthink versus improving DNS
Jesper G. Høy <jesper@jhsoft.com> Thu, 07 August 2008 16:21 UTC
Return-Path: <owner-namedroppers@ops.ietf.org>
X-Original-To: ietfarch-dnsext-archive@core3.amsl.com
Delivered-To: ietfarch-dnsext-archive@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 9DC123A67B3; Thu, 7 Aug 2008 09:21:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.425
X-Spam-Level:
X-Spam-Status: No, score=0.425 tagged_above=-999 required=5 tests=[AWL=-0.620, BAYES_00=-2.599, FH_RELAY_NODNS=1.451, HELO_MISMATCH_COM=0.553, MIME_8BIT_HEADER=0.3, RDNS_NONE=0.1, SARE_LWSHORTT=1.24]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id h62QIelk8-mI; Thu, 7 Aug 2008 09:21:11 -0700 (PDT)
Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id 254C83A6768; Thu, 7 Aug 2008 09:21:11 -0700 (PDT)
Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from <owner-namedroppers@ops.ietf.org>) id 1KR8AZ-0007wJ-EH for namedroppers-data@psg.com; Thu, 07 Aug 2008 16:16:55 +0000
Received: from [204.9.75.100] (helo=kansas.jhsoft.com) by psg.com with esmtp (Exim 4.69 (FreeBSD)) (envelope-from <jesper@jhsoft.com>) id 1KR8AU-0007va-I7 for namedroppers@ops.ietf.org; Thu, 07 Aug 2008 16:16:52 +0000
Received: from hemsen by kansas.jhsoft.com (MDaemon PRO v9.6.2) with ESMTP id md50000107337.msg for <namedroppers@ops.ietf.org>; Thu, 07 Aug 2008 16:16:49 +0000
From: "Jesper G. Høy" <jesper@jhsoft.com>
To: 'bert hubert' <bert.hubert@netherlabs.nl>, 'Namedroppers' <namedroppers@ops.ietf.org>
References: <489AD5E3.20708@nlnetlabs.nl> <20080807134236.GA19024@outpost.ds9a.nl>
In-Reply-To: <20080807134236.GA19024@outpost.ds9a.nl>
Subject: RE: OFFTOPIC: DNSSEC groupthink versus improving DNS
Date: Thu, 07 Aug 2008 18:16:20 +0200
Message-ID: <016a01c8f8a8$ee94ea30$cbbebe90$@com>
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Office Outlook 12.0
Thread-Index: Acj4lpNKZJO53v0mREik1wC0PirzDQAEioGw
Content-Language: en-us
X-Authenticated-Sender: jesper@jhsoft.com
X-MDRemoteIP: 87.56.149.202
X-Return-Path: jesper@jhsoft.com
X-Envelope-From: jesper@jhsoft.com
X-MDaemon-Deliver-To: namedroppers@ops.ietf.org
Sender: owner-namedroppers@ops.ietf.org
Precedence: bulk
List-ID: <namedroppers.ops.ietf.org>
Hear hear !! Jesper > -----Original Message----- > From: owner-namedroppers@ops.ietf.org [mailto:owner- > namedroppers@ops.ietf.org] On Behalf Of bert hubert > Sent: Thursday, August 07, 2008 3:43 PM > To: Namedroppers > Subject: OFFTOPIC: DNSSEC groupthink versus improving DNS > > On Thu, Aug 07, 2008 at 01:00:51PM +0200, Wouter Wijngaards wrote: > > The best solution is of course DNSSEC. Crypto signatures instead of > > randomisation games. Enable DNSSEC validation now. > > Not specifically aimed at you Wouter, but it appears the most vocal > people > in the DNS world are starting to suffer from "groupthink". > > http://en.wikipedia.org/wiki/Groupthink > > "A mode of thinking that people engage in when they are deeply involved > in a > cohesive in-group, when the members' strivings for unanimity override > their > motivation to realistically appraise alternative courses of action" > > "Groupthink tends to occur on committees and in large organizations. > [..]" > > For a fine compendium of the kind of statements I mean, please see > http://www.dnssec-deployment.org/news/dnssecthismonth/current/ > > DNSSEC cited as "only full solution" to recent DNS vulnerability > > "DNSSEC is the only full solution." > > "We at ISC hope that this issue will draw attention to DNSSEC, > which > in the end will only be the real solution" > > And this can't be good - it is leading us to make statements which are > patently untrue, like "turn on DNSSEC to be safe". > > Or 79 page presentations called "DNSSEC in six minutes" - giving people > 4.6 > seconds per page. It is just not real. > http://www.isc.org/sw/bind/docs/DNSSEC_in_6_minutes.pdf > > Or asking people repeatedly to remove the phrase "under development" > when > DNSSEC is referred to as a solution under development - which it > patently > is. > > If the goal is to deploy DNSSEC quickly, roll out the tools surrounding > it, > invent the protocols for getting your keying material upstream, widen > the > registry-registrar protocols to fit these records, create the emergency > key > rollover procedures (and don't hide the need for them), implement > 'auto-sign > yes;' etc etc etc. The only way DNSSEC will ever work if it is only > slightly > harder to operate than DNS. > > But if you care about DNSSEC, please stop pretending DNSSEC is ready to > deploy and just waiting for people to get around to it. > > If you care about DNSSEC, don't hide that it might in itself have > security > implications. > > If you care about DNSSEC, please also stop pretending it is not far > harder > to operate than DNS itself. DNS is already considered to be difficult, > and > operators mess it up all the time. It is not like adding an 's' to > 'http://'. > > All these things will come back to haunt you when people actually do > follow > the advice to turn on DNSSEC now, and discover they've either done > something > that doesn't help (signing without getting the trust anchor used), or > have > actually caused their domains to go down, because they did not > institutionalize the key rollover procedures. > > ("You mean this goes down if I don't re-sign in time? Wow!"). > > The reason I rant on about this is that I care deeply about DNS, and > that > DNS is *currently* under attack. While DNSSEC is agressively branded as > a > fine solution, at best, it will be a solution in a few years. > > Additionally, given things I've said before, I personally don't think > DNSSEC > will ever see wide usage in the real world, so I feel very strongly > that not > only do we need to improve DNS in the short term, the short term > solution > also needs to be the long term solution. > > But no matter what I feel - please everybody take a minute to read the > symptoms of groupthink, and wonder if we are still doing the best job > we can > to improve DNS in the real world. > > Because that is our goal. I hope. > > Bert > > -- > http://www.PowerDNS.com Open source, database driven DNS Software > http://netherlabs.nl Open and Closed source services > > -- > to unsubscribe send a message to namedroppers-request@ops.ietf.org with > the word 'unsubscribe' in a single line as the message text body. > archive: <http://ops.ietf.org/lists/namedroppers/> -- to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: <http://ops.ietf.org/lists/namedroppers/>
- Re: Additional filtering of responses Tony Finch
- Additional filtering of responses Wouter Wijngaards
- OFFTOPIC: DNSSEC groupthink versus improving DNS bert hubert
- Re: OFFTOPIC: DNSSEC groupthink versus improving … Duane
- Re: Additional filtering of responses Paul Vixie
- Re: OFFTOPIC: DNSSEC groupthink versus improving … Paul Vixie
- Re: OFFTOPIC: DNSSEC groupthink versus improving … Paul Vixie
- RE: OFFTOPIC: DNSSEC groupthink versus improving … Jesper G. Høy
- Re: Additional filtering of responses Roy Arends
- Re: Additional filtering of responses Paul Vixie
- Forgery resilience idea - wildcard cooperative de… Brian Dickson
- Re: Forgery resilience idea - wildcard cooperativ… Paul Vixie
- Re: Additional filtering of responses Roy Arends
- Re: Forgery resilience idea - wildcard cooperativ… bert hubert
- Re: Forgery resilience idea - wildcard cooperativ… Brian Dickson
- Re: Additional filtering of responses Edward Lewis
- Re: OFFTOPIC: DNSSEC groupthink versus improving … Olaf Kolkman
- Re: Additional filtering of responses Tony Finch
- Re: OFFTOPIC: DNSSEC groupthink versus improving … David Conrad
- Re: OFFTOPIC: DNSSEC groupthink versus improving … bert hubert
- Re: Additional filtering of responses Edward Lewis
- Re: OFFTOPIC: DNSSEC groupthink versus improving … Federico Lucifredi
- Re: Additional filtering of responses Paul Vixie
- Re: OFFTOPIC: DNSSEC groupthink versus improving … Duane
- Re: OFFTOPIC: DNSSEC groupthink versus improving … Mark Andrews
- Re: OFFTOPIC: DNSSEC groupthink versus improving … Duane
- Re: OFFTOPIC: DNSSEC groupthink versus improving … Duane
- Re: OFFTOPIC: DNSSEC groupthink versus improving … Paul Vixie
- Re: OFFTOPIC: DNSSEC groupthink versus improving … Paul Vixie
- Re: OFFTOPIC: DNSSEC groupthink versus improving … Mark Andrews
- Re: Additional filtering of responses Mark Andrews
- Re: OFFTOPIC: DNSSEC groupthink versus improving … Mark Andrews
- Re: OFFTOPIC: DNSSEC groupthink versus improving … Duane
- Re: OFFTOPIC: DNSSEC groupthink versus improving … Duane
- Re: OFFTOPIC: DNSSEC groupthink versus improving … Duane
- Re: OFFTOPIC: DNSSEC groupthink versus improving … Mark Andrews
- Re: OFFTOPIC: DNSSEC groupthink versus improving … Duane
- Re: OFFTOPIC: DNSSEC groupthink versus improving … Mark Andrews
- Re: OFFTOPIC: DNSSEC groupthink versus improving … Duane
- Re: OFFTOPIC: DNSSEC groupthink versus improving … Mark Andrews
- Re: OFFTOPIC: DNSSEC groupthink versus improving … Duane
- Re: OFFTOPIC: DNSSEC groupthink versus improving … Brian Dickson
- Re: OFFTOPIC: DNSSEC groupthink versus improving … Mark Andrews
- Re: OFFTOPIC: DNSSEC groupthink versus improving … Duane
- Re: OFFTOPIC: DNSSEC groupthink versus improving … Duane
- Re: OFFTOPIC: DNSSEC groupthink versus improving … Brian Dickson
- Re: Additional filtering of responses Masataka Ohta
- Re: OFFTOPIC: DNSSEC groupthink versus improving … Duane
- Re: Additional filtering of responses Masataka Ohta
- Re: Additional filtering of responses Roy Arends
- Re: OFFTOPIC: DNSSEC groupthink versus improving … Ralf Weber
- Re: Additional filtering of responses Masataka Ohta
- Re: OFFTOPIC: DNSSEC groupthink versus improving … Duane at e164 dot org
- Re: Additional filtering of responses Duane at e164 dot org
- Re: OFFTOPIC: DNSSEC groupthink versus improving … Ralf Weber
- Re: OFFTOPIC: DNSSEC groupthink versus improving … Alex Bligh
- Re: OFFTOPIC: DNSSEC groupthink versus improving … Duane at e164 dot org
- Re: OFFTOPIC: DNSSEC groupthink versus improving … Duane at e164 dot org
- Re: OFFTOPIC: DNSSEC groupthink versus improving … sthaug
- Re: OFFTOPIC: DNSSEC groupthink versus improving … bert hubert
- Re: OFFTOPIC: DNSSEC groupthink versus improving … Duane at e164 dot org
- Re: Additional filtering of responses Peter Koch
- Re: OFFTOPIC: DNSSEC groupthink versus improving … Duane at e164 dot org
- Please stop this thread (was: OFFTOPIC: DNSSEC gr… Andrew Sullivan
- Re: OFFTOPIC: DNSSEC groupthink versus improving … Otmar Lendl
- Re: Please stop this thread (was: OFFTOPIC: DNSSE… Matt Larson
- Re: Please stop this thread (was: OFFTOPIC: DNSSE… David Conrad
- Re: OFFTOPIC: DNSSEC groupthink versus improving … Ben Laurie
- how many angels can dance on the head of a pin? bmanning
- Re: how many angels can dance on the head of a pi… Duane at e164 dot org
- Re: how many angels can dance on the head of a pi… Alex Bligh
- Re: how many angels can dance on the head of a pi… Duane at e164 dot org
- Re: OFFTOPIC: DNSSEC groupthink versus improving … Florian Weimer
- Re: how many angels can dance on the head of a pi… Alex Bligh
- Re: how many angels can dance on the head of a pi… Alex Bligh
- Re: how many angels can dance on the head of a pi… sthaug
- Re: how many angels can dance on the head of a pi… Ben Laurie
- Re: how many angels can dance on the head of a pi… Alex Bligh
- Re: how many angels can dance on the head of a pi… Ben Laurie
- Re: how many angels can dance on the head of a pi… Paul Vixie
- Re: how many angels can dance on the head of a pi… Paul Hoffman
- Re: how many angels can dance on the head of a pi… bmanning
- Re: OFFTOPIC: DNSSEC groupthink versus improving … Havard Eidnes
- Re: OFFTOPIC: DNSSEC groupthink versus improving … Mark Andrews
- DNSSEC on autopilot (was: OFFTOPIC: DNSSEC groupt… Otmar Lendl
- Re: DNSSEC on autopilot (was: OFFTOPIC: DNSSEC gr… Andrew Sullivan
- Re: DNSSEC on autopilot (was: OFFTOPIC: DNSSEC gr… Otmar Lendl
- Re: DNSSEC on autopilot (was: OFFTOPIC: DNSSEC gr… Mark Andrews
- Re: DNSSEC on autopilot (was: OFFTOPIC: DNSSEC gr… Andrew Sullivan