Re: OFFTOPIC: DNSSEC groupthink versus improving DNS

[Federico Lucifredi <flucifredi@ximian.com>]

I have read Hubert-DNSSEC-groupthink and support its adoption as a WG 
document :-)

  -F

bert hubert wrote:
> On Thu, Aug 07, 2008 at 01:00:51PM +0200, Wouter Wijngaards wrote:
>> The best solution is of course DNSSEC. Crypto signatures instead of
>> randomisation games. Enable DNSSEC validation now.
> 
> Not specifically aimed at you Wouter, but it appears the most vocal people
> in the DNS world are starting to suffer from "groupthink". 
> 
> http://en.wikipedia.org/wiki/Groupthink
> 
> "A mode of thinking that people engage in when they are deeply involved in a
>  cohesive in-group, when the members' strivings for unanimity override their
>  motivation to realistically appraise alternative courses of action"
> 
> "Groupthink tends to occur on committees and in large organizations. 
>  [..]"
> 
> For a fine compendium of the kind of statements I mean, please see
> http://www.dnssec-deployment.org/news/dnssecthismonth/current/
> 
> 	DNSSEC cited as "only full solution" to recent DNS vulnerability
> 
> 	"DNSSEC is the only full solution."
> 
> 	"We at ISC hope that this issue will draw attention to DNSSEC, which
> 	in the end will only be the real solution"
> 
> And this can't be good - it is leading us to make statements which are
> patently untrue, like "turn on DNSSEC to be safe".
> 
> Or 79 page presentations called "DNSSEC in six minutes" - giving people 4.6
> seconds per page. It is just not real.
> http://www.isc.org/sw/bind/docs/DNSSEC_in_6_minutes.pdf 
> 
> Or asking people repeatedly to remove the phrase "under development" when
> DNSSEC is referred to as a solution under development - which it patently
> is. 
> 
> If the goal is to deploy DNSSEC quickly, roll out the tools surrounding it,
> invent the protocols for getting your keying material upstream, widen the
> registry-registrar protocols to fit these records, create the emergency key
> rollover procedures (and don't hide the need for them), implement 'auto-sign
> yes;' etc etc etc. The only way DNSSEC will ever work if it is only slightly
> harder to operate than DNS.
> 
> But if you care about DNSSEC, please stop pretending DNSSEC is ready to
> deploy and just waiting for people to get around to it.
> 
> If you care about DNSSEC, don't hide that it might in itself have security
> implications.
> 
> If you care about DNSSEC, please also stop pretending it is not far harder
> to operate than DNS itself. DNS is already considered to be difficult, and
> operators mess it up all the time. It is not like adding an 's' to
> 'http://'.
> 
> All these things will come back to haunt you when people actually do follow
> the advice to turn on DNSSEC now, and discover they've either done something
> that doesn't help (signing without getting the trust anchor used), or have
> actually caused their domains to go down, because they did not
> institutionalize the key rollover procedures.
> 
> ("You mean this goes down if I don't re-sign in time? Wow!").
> 
> The reason I rant on about this is that I care deeply about DNS, and that
> DNS is *currently* under attack. While DNSSEC is agressively branded as a
> fine solution, at best, it will be a solution in a few years.
> 
> Additionally, given things I've said before, I personally don't think DNSSEC
> will ever see wide usage in the real world, so I feel very strongly that not
> only do we need to improve DNS in the short term, the short term solution
> also needs to be the long term solution.
> 
> But no matter what I feel - please everybody take a minute to read the
> symptoms of groupthink, and wonder if we are still doing the best job we can
> to improve DNS in the real world. 
> 
> Because that is our goal. I hope. 
> 
> 	Bert
> 


-- 

_________________________________________
-- "'Problem' is a bleak word for challenge" - Richard Fish
(Federico L. Lucifredi) - flucifredi@ximian.com


--
to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/namedroppers/>