Re: OFFTOPIC: DNSSEC groupthink versus improving DNS
Federico Lucifredi <flucifredi@ximian.com> Thu, 07 August 2008 21:07 UTC
Return-Path: <owner-namedroppers@ops.ietf.org>
X-Original-To: ietfarch-dnsext-archive@core3.amsl.com
Delivered-To: ietfarch-dnsext-archive@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 910B63A6872; Thu, 7 Aug 2008 14:07:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 1.137
X-Spam-Level: *
X-Spam-Status: No, score=1.137 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FH_RELAY_NODNS=1.451, HELO_MISMATCH_NET=0.611, IP_NOT_FRIENDLY=0.334, RDNS_NONE=0.1, SARE_LWSHORTT=1.24]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lUS5eExO-zKd; Thu, 7 Aug 2008 14:07:41 -0700 (PDT)
Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id A4EB43A69A7; Thu, 7 Aug 2008 14:07:40 -0700 (PDT)
Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from <owner-namedroppers@ops.ietf.org>) id 1KRCcc-000DOj-5v for namedroppers-data@psg.com; Thu, 07 Aug 2008 21:02:10 +0000
Received: from [69.17.117.5] (helo=mail3.sea5.speakeasy.net) by psg.com with esmtps (TLSv1:AES256-SHA:256) (Exim 4.69 (FreeBSD)) (envelope-from <flucifredi@ximian.com>) id 1KRCcX-000DO9-Lm for namedroppers@ops.ietf.org; Thu, 07 Aug 2008 21:02:07 +0000
Received: (qmail 19341 invoked from network); 7 Aug 2008 21:02:04 -0000
Received: from unknown (HELO [164.99.130.55]) (federico@[130.57.22.201]) (envelope-sender <flucifredi@ximian.com>) by mail3.sea5.speakeasy.net (qmail-ldap-1.03) with AES256-SHA encrypted SMTP for <bert.hubert@netherlabs.nl>; 7 Aug 2008 21:02:04 -0000
Message-ID: <489B63C7.3090700@ximian.com>
Date: Thu, 07 Aug 2008 17:06:15 -0400
From: Federico Lucifredi <flucifredi@ximian.com>
User-Agent: Thunderbird 2.0.0.16 (Windows/20080708)
MIME-Version: 1.0
To: bert hubert <bert.hubert@netherlabs.nl>
CC: Namedroppers <namedroppers@ops.ietf.org>
Subject: Re: OFFTOPIC: DNSSEC groupthink versus improving DNS
References: <489AD5E3.20708@nlnetlabs.nl> <20080807134236.GA19024@outpost.ds9a.nl>
In-Reply-To: <20080807134236.GA19024@outpost.ds9a.nl>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
Sender: owner-namedroppers@ops.ietf.org
Precedence: bulk
List-ID: <namedroppers.ops.ietf.org>
I have read Hubert-DNSSEC-groupthink and support its adoption as a WG document :-) -F bert hubert wrote: > On Thu, Aug 07, 2008 at 01:00:51PM +0200, Wouter Wijngaards wrote: >> The best solution is of course DNSSEC. Crypto signatures instead of >> randomisation games. Enable DNSSEC validation now. > > Not specifically aimed at you Wouter, but it appears the most vocal people > in the DNS world are starting to suffer from "groupthink". > > http://en.wikipedia.org/wiki/Groupthink > > "A mode of thinking that people engage in when they are deeply involved in a > cohesive in-group, when the members' strivings for unanimity override their > motivation to realistically appraise alternative courses of action" > > "Groupthink tends to occur on committees and in large organizations. > [..]" > > For a fine compendium of the kind of statements I mean, please see > http://www.dnssec-deployment.org/news/dnssecthismonth/current/ > > DNSSEC cited as "only full solution" to recent DNS vulnerability > > "DNSSEC is the only full solution." > > "We at ISC hope that this issue will draw attention to DNSSEC, which > in the end will only be the real solution" > > And this can't be good - it is leading us to make statements which are > patently untrue, like "turn on DNSSEC to be safe". > > Or 79 page presentations called "DNSSEC in six minutes" - giving people 4.6 > seconds per page. It is just not real. > http://www.isc.org/sw/bind/docs/DNSSEC_in_6_minutes.pdf > > Or asking people repeatedly to remove the phrase "under development" when > DNSSEC is referred to as a solution under development - which it patently > is. > > If the goal is to deploy DNSSEC quickly, roll out the tools surrounding it, > invent the protocols for getting your keying material upstream, widen the > registry-registrar protocols to fit these records, create the emergency key > rollover procedures (and don't hide the need for them), implement 'auto-sign > yes;' etc etc etc. The only way DNSSEC will ever work if it is only slightly > harder to operate than DNS. > > But if you care about DNSSEC, please stop pretending DNSSEC is ready to > deploy and just waiting for people to get around to it. > > If you care about DNSSEC, don't hide that it might in itself have security > implications. > > If you care about DNSSEC, please also stop pretending it is not far harder > to operate than DNS itself. DNS is already considered to be difficult, and > operators mess it up all the time. It is not like adding an 's' to > 'http://'. > > All these things will come back to haunt you when people actually do follow > the advice to turn on DNSSEC now, and discover they've either done something > that doesn't help (signing without getting the trust anchor used), or have > actually caused their domains to go down, because they did not > institutionalize the key rollover procedures. > > ("You mean this goes down if I don't re-sign in time? Wow!"). > > The reason I rant on about this is that I care deeply about DNS, and that > DNS is *currently* under attack. While DNSSEC is agressively branded as a > fine solution, at best, it will be a solution in a few years. > > Additionally, given things I've said before, I personally don't think DNSSEC > will ever see wide usage in the real world, so I feel very strongly that not > only do we need to improve DNS in the short term, the short term solution > also needs to be the long term solution. > > But no matter what I feel - please everybody take a minute to read the > symptoms of groupthink, and wonder if we are still doing the best job we can > to improve DNS in the real world. > > Because that is our goal. I hope. > > Bert > -- _________________________________________ -- "'Problem' is a bleak word for challenge" - Richard Fish (Federico L. Lucifredi) - flucifredi@ximian.com -- to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: <http://ops.ietf.org/lists/namedroppers/>
- Re: Additional filtering of responses Tony Finch
- Additional filtering of responses Wouter Wijngaards
- OFFTOPIC: DNSSEC groupthink versus improving DNS bert hubert
- Re: OFFTOPIC: DNSSEC groupthink versus improving … Duane
- Re: Additional filtering of responses Paul Vixie
- Re: OFFTOPIC: DNSSEC groupthink versus improving … Paul Vixie
- Re: OFFTOPIC: DNSSEC groupthink versus improving … Paul Vixie
- RE: OFFTOPIC: DNSSEC groupthink versus improving … Jesper G. Høy
- Re: Additional filtering of responses Roy Arends
- Re: Additional filtering of responses Paul Vixie
- Forgery resilience idea - wildcard cooperative de… Brian Dickson
- Re: Forgery resilience idea - wildcard cooperativ… Paul Vixie
- Re: Additional filtering of responses Roy Arends
- Re: Forgery resilience idea - wildcard cooperativ… bert hubert
- Re: Forgery resilience idea - wildcard cooperativ… Brian Dickson
- Re: Additional filtering of responses Edward Lewis
- Re: OFFTOPIC: DNSSEC groupthink versus improving … Olaf Kolkman
- Re: Additional filtering of responses Tony Finch
- Re: OFFTOPIC: DNSSEC groupthink versus improving … David Conrad
- Re: OFFTOPIC: DNSSEC groupthink versus improving … bert hubert
- Re: Additional filtering of responses Edward Lewis
- Re: OFFTOPIC: DNSSEC groupthink versus improving … Federico Lucifredi
- Re: Additional filtering of responses Paul Vixie
- Re: OFFTOPIC: DNSSEC groupthink versus improving … Duane
- Re: OFFTOPIC: DNSSEC groupthink versus improving … Mark Andrews
- Re: OFFTOPIC: DNSSEC groupthink versus improving … Duane
- Re: OFFTOPIC: DNSSEC groupthink versus improving … Duane
- Re: OFFTOPIC: DNSSEC groupthink versus improving … Paul Vixie
- Re: OFFTOPIC: DNSSEC groupthink versus improving … Paul Vixie
- Re: OFFTOPIC: DNSSEC groupthink versus improving … Mark Andrews
- Re: Additional filtering of responses Mark Andrews
- Re: OFFTOPIC: DNSSEC groupthink versus improving … Mark Andrews
- Re: OFFTOPIC: DNSSEC groupthink versus improving … Duane
- Re: OFFTOPIC: DNSSEC groupthink versus improving … Duane
- Re: OFFTOPIC: DNSSEC groupthink versus improving … Duane
- Re: OFFTOPIC: DNSSEC groupthink versus improving … Mark Andrews
- Re: OFFTOPIC: DNSSEC groupthink versus improving … Duane
- Re: OFFTOPIC: DNSSEC groupthink versus improving … Mark Andrews
- Re: OFFTOPIC: DNSSEC groupthink versus improving … Duane
- Re: OFFTOPIC: DNSSEC groupthink versus improving … Mark Andrews
- Re: OFFTOPIC: DNSSEC groupthink versus improving … Duane
- Re: OFFTOPIC: DNSSEC groupthink versus improving … Brian Dickson
- Re: OFFTOPIC: DNSSEC groupthink versus improving … Mark Andrews
- Re: OFFTOPIC: DNSSEC groupthink versus improving … Duane
- Re: OFFTOPIC: DNSSEC groupthink versus improving … Duane
- Re: OFFTOPIC: DNSSEC groupthink versus improving … Brian Dickson
- Re: Additional filtering of responses Masataka Ohta
- Re: OFFTOPIC: DNSSEC groupthink versus improving … Duane
- Re: Additional filtering of responses Masataka Ohta
- Re: Additional filtering of responses Roy Arends
- Re: OFFTOPIC: DNSSEC groupthink versus improving … Ralf Weber
- Re: Additional filtering of responses Masataka Ohta
- Re: OFFTOPIC: DNSSEC groupthink versus improving … Duane at e164 dot org
- Re: Additional filtering of responses Duane at e164 dot org
- Re: OFFTOPIC: DNSSEC groupthink versus improving … Ralf Weber
- Re: OFFTOPIC: DNSSEC groupthink versus improving … Alex Bligh
- Re: OFFTOPIC: DNSSEC groupthink versus improving … Duane at e164 dot org
- Re: OFFTOPIC: DNSSEC groupthink versus improving … Duane at e164 dot org
- Re: OFFTOPIC: DNSSEC groupthink versus improving … sthaug
- Re: OFFTOPIC: DNSSEC groupthink versus improving … bert hubert
- Re: OFFTOPIC: DNSSEC groupthink versus improving … Duane at e164 dot org
- Re: Additional filtering of responses Peter Koch
- Re: OFFTOPIC: DNSSEC groupthink versus improving … Duane at e164 dot org
- Please stop this thread (was: OFFTOPIC: DNSSEC gr… Andrew Sullivan
- Re: OFFTOPIC: DNSSEC groupthink versus improving … Otmar Lendl
- Re: Please stop this thread (was: OFFTOPIC: DNSSE… Matt Larson
- Re: Please stop this thread (was: OFFTOPIC: DNSSE… David Conrad
- Re: OFFTOPIC: DNSSEC groupthink versus improving … Ben Laurie
- how many angels can dance on the head of a pin? bmanning
- Re: how many angels can dance on the head of a pi… Duane at e164 dot org
- Re: how many angels can dance on the head of a pi… Alex Bligh
- Re: how many angels can dance on the head of a pi… Duane at e164 dot org
- Re: OFFTOPIC: DNSSEC groupthink versus improving … Florian Weimer
- Re: how many angels can dance on the head of a pi… Alex Bligh
- Re: how many angels can dance on the head of a pi… Alex Bligh
- Re: how many angels can dance on the head of a pi… sthaug
- Re: how many angels can dance on the head of a pi… Ben Laurie
- Re: how many angels can dance on the head of a pi… Alex Bligh
- Re: how many angels can dance on the head of a pi… Ben Laurie
- Re: how many angels can dance on the head of a pi… Paul Vixie
- Re: how many angels can dance on the head of a pi… Paul Hoffman
- Re: how many angels can dance on the head of a pi… bmanning
- Re: OFFTOPIC: DNSSEC groupthink versus improving … Havard Eidnes
- Re: OFFTOPIC: DNSSEC groupthink versus improving … Mark Andrews
- DNSSEC on autopilot (was: OFFTOPIC: DNSSEC groupt… Otmar Lendl
- Re: DNSSEC on autopilot (was: OFFTOPIC: DNSSEC gr… Andrew Sullivan
- Re: DNSSEC on autopilot (was: OFFTOPIC: DNSSEC gr… Otmar Lendl
- Re: DNSSEC on autopilot (was: OFFTOPIC: DNSSEC gr… Mark Andrews
- Re: DNSSEC on autopilot (was: OFFTOPIC: DNSSEC gr… Andrew Sullivan