OFFTOPIC: DNSSEC groupthink versus improving DNS
bert hubert <bert.hubert@netherlabs.nl> Thu, 07 August 2008 13:49 UTC
Return-Path: <owner-namedroppers@ops.ietf.org>
X-Original-To: ietfarch-dnsext-archive@core3.amsl.com
Delivered-To: ietfarch-dnsext-archive@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 1CAA23A68CF; Thu, 7 Aug 2008 06:49:09 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 1.966
X-Spam-Level: *
X-Spam-Status: No, score=1.966 tagged_above=-999 required=5 tests=[AWL=1.230, BAYES_00=-2.599, HELO_EQ_NL=0.55, HOST_EQ_NL=1.545, SARE_LWSHORTT=1.24]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Ud6NFsufg2xt; Thu, 7 Aug 2008 06:49:08 -0700 (PDT)
Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id 0CFB93A6847; Thu, 7 Aug 2008 06:49:08 -0700 (PDT)
Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from <owner-namedroppers@ops.ietf.org>) id 1KR5lG-000Gqu-6d for namedroppers-data@psg.com; Thu, 07 Aug 2008 13:42:38 +0000
Received: from [2001:888:10:36::2] (helo=adsl-xs4all.ds9a.nl) by psg.com with esmtps (TLSv1:AES256-SHA:256) (Exim 4.69 (FreeBSD)) (envelope-from <ahu@outpost.ds9a.nl>) id 1KR5lA-000Gpa-IB for namedroppers@ops.ietf.org; Thu, 07 Aug 2008 13:42:35 +0000
Received: from outpost.ds9a.nl ([85.17.220.215] ident=postfix) by adsl-xs4all.ds9a.nl with esmtp (Exim 4.63) (envelope-from <ahu@outpost.ds9a.nl>) id 1KR5l4-000533-RM for namedroppers@ops.ietf.org; Thu, 07 Aug 2008 15:42:26 +0200
Received: by outpost.ds9a.nl (Postfix, from userid 1000) id A0FA353836; Thu, 7 Aug 2008 15:42:38 +0200 (CEST)
Date: Thu, 07 Aug 2008 15:42:37 +0200
From: bert hubert <bert.hubert@netherlabs.nl>
To: Namedroppers <namedroppers@ops.ietf.org>
Subject: OFFTOPIC: DNSSEC groupthink versus improving DNS
Message-ID: <20080807134236.GA19024@outpost.ds9a.nl>
References: <489AD5E3.20708@nlnetlabs.nl>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <489AD5E3.20708@nlnetlabs.nl>
User-Agent: Mutt/1.5.9i
Sender: owner-namedroppers@ops.ietf.org
Precedence: bulk
List-ID: <namedroppers.ops.ietf.org>
On Thu, Aug 07, 2008 at 01:00:51PM +0200, Wouter Wijngaards wrote: > The best solution is of course DNSSEC. Crypto signatures instead of > randomisation games. Enable DNSSEC validation now. Not specifically aimed at you Wouter, but it appears the most vocal people in the DNS world are starting to suffer from "groupthink". http://en.wikipedia.org/wiki/Groupthink "A mode of thinking that people engage in when they are deeply involved in a cohesive in-group, when the members' strivings for unanimity override their motivation to realistically appraise alternative courses of action" "Groupthink tends to occur on committees and in large organizations. [..]" For a fine compendium of the kind of statements I mean, please see http://www.dnssec-deployment.org/news/dnssecthismonth/current/ DNSSEC cited as "only full solution" to recent DNS vulnerability "DNSSEC is the only full solution." "We at ISC hope that this issue will draw attention to DNSSEC, which in the end will only be the real solution" And this can't be good - it is leading us to make statements which are patently untrue, like "turn on DNSSEC to be safe". Or 79 page presentations called "DNSSEC in six minutes" - giving people 4.6 seconds per page. It is just not real. http://www.isc.org/sw/bind/docs/DNSSEC_in_6_minutes.pdf Or asking people repeatedly to remove the phrase "under development" when DNSSEC is referred to as a solution under development - which it patently is. If the goal is to deploy DNSSEC quickly, roll out the tools surrounding it, invent the protocols for getting your keying material upstream, widen the registry-registrar protocols to fit these records, create the emergency key rollover procedures (and don't hide the need for them), implement 'auto-sign yes;' etc etc etc. The only way DNSSEC will ever work if it is only slightly harder to operate than DNS. But if you care about DNSSEC, please stop pretending DNSSEC is ready to deploy and just waiting for people to get around to it. If you care about DNSSEC, don't hide that it might in itself have security implications. If you care about DNSSEC, please also stop pretending it is not far harder to operate than DNS itself. DNS is already considered to be difficult, and operators mess it up all the time. It is not like adding an 's' to 'http://'. All these things will come back to haunt you when people actually do follow the advice to turn on DNSSEC now, and discover they've either done something that doesn't help (signing without getting the trust anchor used), or have actually caused their domains to go down, because they did not institutionalize the key rollover procedures. ("You mean this goes down if I don't re-sign in time? Wow!"). The reason I rant on about this is that I care deeply about DNS, and that DNS is *currently* under attack. While DNSSEC is agressively branded as a fine solution, at best, it will be a solution in a few years. Additionally, given things I've said before, I personally don't think DNSSEC will ever see wide usage in the real world, so I feel very strongly that not only do we need to improve DNS in the short term, the short term solution also needs to be the long term solution. But no matter what I feel - please everybody take a minute to read the symptoms of groupthink, and wonder if we are still doing the best job we can to improve DNS in the real world. Because that is our goal. I hope. Bert -- http://www.PowerDNS.com Open source, database driven DNS Software http://netherlabs.nl Open and Closed source services -- to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: <http://ops.ietf.org/lists/namedroppers/>
- Re: Additional filtering of responses Tony Finch
- Additional filtering of responses Wouter Wijngaards
- OFFTOPIC: DNSSEC groupthink versus improving DNS bert hubert
- Re: OFFTOPIC: DNSSEC groupthink versus improving … Duane
- Re: Additional filtering of responses Paul Vixie
- Re: OFFTOPIC: DNSSEC groupthink versus improving … Paul Vixie
- Re: OFFTOPIC: DNSSEC groupthink versus improving … Paul Vixie
- RE: OFFTOPIC: DNSSEC groupthink versus improving … Jesper G. Høy
- Re: Additional filtering of responses Roy Arends
- Re: Additional filtering of responses Paul Vixie
- Forgery resilience idea - wildcard cooperative de… Brian Dickson
- Re: Forgery resilience idea - wildcard cooperativ… Paul Vixie
- Re: Additional filtering of responses Roy Arends
- Re: Forgery resilience idea - wildcard cooperativ… bert hubert
- Re: Forgery resilience idea - wildcard cooperativ… Brian Dickson
- Re: Additional filtering of responses Edward Lewis
- Re: OFFTOPIC: DNSSEC groupthink versus improving … Olaf Kolkman
- Re: Additional filtering of responses Tony Finch
- Re: OFFTOPIC: DNSSEC groupthink versus improving … David Conrad
- Re: OFFTOPIC: DNSSEC groupthink versus improving … bert hubert
- Re: Additional filtering of responses Edward Lewis
- Re: OFFTOPIC: DNSSEC groupthink versus improving … Federico Lucifredi
- Re: Additional filtering of responses Paul Vixie
- Re: OFFTOPIC: DNSSEC groupthink versus improving … Duane
- Re: OFFTOPIC: DNSSEC groupthink versus improving … Mark Andrews
- Re: OFFTOPIC: DNSSEC groupthink versus improving … Duane
- Re: OFFTOPIC: DNSSEC groupthink versus improving … Duane
- Re: OFFTOPIC: DNSSEC groupthink versus improving … Paul Vixie
- Re: OFFTOPIC: DNSSEC groupthink versus improving … Paul Vixie
- Re: OFFTOPIC: DNSSEC groupthink versus improving … Mark Andrews
- Re: Additional filtering of responses Mark Andrews
- Re: OFFTOPIC: DNSSEC groupthink versus improving … Mark Andrews
- Re: OFFTOPIC: DNSSEC groupthink versus improving … Duane
- Re: OFFTOPIC: DNSSEC groupthink versus improving … Duane
- Re: OFFTOPIC: DNSSEC groupthink versus improving … Duane
- Re: OFFTOPIC: DNSSEC groupthink versus improving … Mark Andrews
- Re: OFFTOPIC: DNSSEC groupthink versus improving … Duane
- Re: OFFTOPIC: DNSSEC groupthink versus improving … Mark Andrews
- Re: OFFTOPIC: DNSSEC groupthink versus improving … Duane
- Re: OFFTOPIC: DNSSEC groupthink versus improving … Mark Andrews
- Re: OFFTOPIC: DNSSEC groupthink versus improving … Duane
- Re: OFFTOPIC: DNSSEC groupthink versus improving … Brian Dickson
- Re: OFFTOPIC: DNSSEC groupthink versus improving … Mark Andrews
- Re: OFFTOPIC: DNSSEC groupthink versus improving … Duane
- Re: OFFTOPIC: DNSSEC groupthink versus improving … Duane
- Re: OFFTOPIC: DNSSEC groupthink versus improving … Brian Dickson
- Re: Additional filtering of responses Masataka Ohta
- Re: OFFTOPIC: DNSSEC groupthink versus improving … Duane
- Re: Additional filtering of responses Masataka Ohta
- Re: Additional filtering of responses Roy Arends
- Re: OFFTOPIC: DNSSEC groupthink versus improving … Ralf Weber
- Re: Additional filtering of responses Masataka Ohta
- Re: OFFTOPIC: DNSSEC groupthink versus improving … Duane at e164 dot org
- Re: Additional filtering of responses Duane at e164 dot org
- Re: OFFTOPIC: DNSSEC groupthink versus improving … Ralf Weber
- Re: OFFTOPIC: DNSSEC groupthink versus improving … Alex Bligh
- Re: OFFTOPIC: DNSSEC groupthink versus improving … Duane at e164 dot org
- Re: OFFTOPIC: DNSSEC groupthink versus improving … Duane at e164 dot org
- Re: OFFTOPIC: DNSSEC groupthink versus improving … sthaug
- Re: OFFTOPIC: DNSSEC groupthink versus improving … bert hubert
- Re: OFFTOPIC: DNSSEC groupthink versus improving … Duane at e164 dot org
- Re: Additional filtering of responses Peter Koch
- Re: OFFTOPIC: DNSSEC groupthink versus improving … Duane at e164 dot org
- Please stop this thread (was: OFFTOPIC: DNSSEC gr… Andrew Sullivan
- Re: OFFTOPIC: DNSSEC groupthink versus improving … Otmar Lendl
- Re: Please stop this thread (was: OFFTOPIC: DNSSE… Matt Larson
- Re: Please stop this thread (was: OFFTOPIC: DNSSE… David Conrad
- Re: OFFTOPIC: DNSSEC groupthink versus improving … Ben Laurie
- how many angels can dance on the head of a pin? bmanning
- Re: how many angels can dance on the head of a pi… Duane at e164 dot org
- Re: how many angels can dance on the head of a pi… Alex Bligh
- Re: how many angels can dance on the head of a pi… Duane at e164 dot org
- Re: OFFTOPIC: DNSSEC groupthink versus improving … Florian Weimer
- Re: how many angels can dance on the head of a pi… Alex Bligh
- Re: how many angels can dance on the head of a pi… Alex Bligh
- Re: how many angels can dance on the head of a pi… sthaug
- Re: how many angels can dance on the head of a pi… Ben Laurie
- Re: how many angels can dance on the head of a pi… Alex Bligh
- Re: how many angels can dance on the head of a pi… Ben Laurie
- Re: how many angels can dance on the head of a pi… Paul Vixie
- Re: how many angels can dance on the head of a pi… Paul Hoffman
- Re: how many angels can dance on the head of a pi… bmanning
- Re: OFFTOPIC: DNSSEC groupthink versus improving … Havard Eidnes
- Re: OFFTOPIC: DNSSEC groupthink versus improving … Mark Andrews
- DNSSEC on autopilot (was: OFFTOPIC: DNSSEC groupt… Otmar Lendl
- Re: DNSSEC on autopilot (was: OFFTOPIC: DNSSEC gr… Andrew Sullivan
- Re: DNSSEC on autopilot (was: OFFTOPIC: DNSSEC gr… Otmar Lendl
- Re: DNSSEC on autopilot (was: OFFTOPIC: DNSSEC gr… Mark Andrews
- Re: DNSSEC on autopilot (was: OFFTOPIC: DNSSEC gr… Andrew Sullivan