RE: OFFTOPIC: DNSSEC groupthink versus improving DNS

[Jesper G. Høy <jesper@jhsoft.com>]

Hear hear !!

Jesper


> -----Original Message-----
> From: owner-namedroppers@ops.ietf.org [mailto:owner-
> namedroppers@ops.ietf.org] On Behalf Of bert hubert
> Sent: Thursday, August 07, 2008 3:43 PM
> To: Namedroppers
> Subject: OFFTOPIC: DNSSEC groupthink versus improving DNS
> 
> On Thu, Aug 07, 2008 at 01:00:51PM +0200, Wouter Wijngaards wrote:
> > The best solution is of course DNSSEC. Crypto signatures instead of
> > randomisation games. Enable DNSSEC validation now.
> 
> Not specifically aimed at you Wouter, but it appears the most vocal
> people
> in the DNS world are starting to suffer from "groupthink".
> 
> http://en.wikipedia.org/wiki/Groupthink
> 
> "A mode of thinking that people engage in when they are deeply involved
> in a
>  cohesive in-group, when the members' strivings for unanimity override
> their
>  motivation to realistically appraise alternative courses of action"
> 
> "Groupthink tends to occur on committees and in large organizations.
>  [..]"
> 
> For a fine compendium of the kind of statements I mean, please see
> http://www.dnssec-deployment.org/news/dnssecthismonth/current/
> 
> 	DNSSEC cited as "only full solution" to recent DNS vulnerability
> 
> 	"DNSSEC is the only full solution."
> 
> 	"We at ISC hope that this issue will draw attention to DNSSEC,
> which
> 	in the end will only be the real solution"
> 
> And this can't be good - it is leading us to make statements which are
> patently untrue, like "turn on DNSSEC to be safe".
> 
> Or 79 page presentations called "DNSSEC in six minutes" - giving people
> 4.6
> seconds per page. It is just not real.
> http://www.isc.org/sw/bind/docs/DNSSEC_in_6_minutes.pdf
> 
> Or asking people repeatedly to remove the phrase "under development"
> when
> DNSSEC is referred to as a solution under development - which it
> patently
> is.
> 
> If the goal is to deploy DNSSEC quickly, roll out the tools surrounding
> it,
> invent the protocols for getting your keying material upstream, widen
> the
> registry-registrar protocols to fit these records, create the emergency
> key
> rollover procedures (and don't hide the need for them), implement
> 'auto-sign
> yes;' etc etc etc. The only way DNSSEC will ever work if it is only
> slightly
> harder to operate than DNS.
> 
> But if you care about DNSSEC, please stop pretending DNSSEC is ready to
> deploy and just waiting for people to get around to it.
> 
> If you care about DNSSEC, don't hide that it might in itself have
> security
> implications.
> 
> If you care about DNSSEC, please also stop pretending it is not far
> harder
> to operate than DNS itself. DNS is already considered to be difficult,
> and
> operators mess it up all the time. It is not like adding an 's' to
> 'http://'.
> 
> All these things will come back to haunt you when people actually do
> follow
> the advice to turn on DNSSEC now, and discover they've either done
> something
> that doesn't help (signing without getting the trust anchor used), or
> have
> actually caused their domains to go down, because they did not
> institutionalize the key rollover procedures.
> 
> ("You mean this goes down if I don't re-sign in time? Wow!").
> 
> The reason I rant on about this is that I care deeply about DNS, and
> that
> DNS is *currently* under attack. While DNSSEC is agressively branded as
> a
> fine solution, at best, it will be a solution in a few years.
> 
> Additionally, given things I've said before, I personally don't think
> DNSSEC
> will ever see wide usage in the real world, so I feel very strongly
> that not
> only do we need to improve DNS in the short term, the short term
> solution
> also needs to be the long term solution.
> 
> But no matter what I feel - please everybody take a minute to read the
> symptoms of groupthink, and wonder if we are still doing the best job
> we can
> to improve DNS in the real world.
> 
> Because that is our goal. I hope.
> 
> 	Bert
> 
> --
> http://www.PowerDNS.com      Open source, database driven DNS Software
> http://netherlabs.nl              Open and Closed source services
> 
> --
> to unsubscribe send a message to namedroppers-request@ops.ietf.org with
> the word 'unsubscribe' in a single line as the message text body.
> archive: <http://ops.ietf.org/lists/namedroppers/>



--
to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/namedroppers/>