Re: Please stop this thread (was: OFFTOPIC: DNSSEC groupthink versus improving DNS)

[David Conrad <drc@virtualized.org>]

Matt,

> Your message prompted me to re-read Bert's original "group-think"
> message and I find nothing inappropriate about it.  It was certainly
> not "perilously close to the line of _ad hominem_ attack", nor was it
> an attack at all.  I'd argue it was even on-topic, in that it
> questions if we're all doing the best engineering we can.

There is a difference between questioning whether we're doing the best  
that we can and implicitly accusing some number of us of intellectual  
laziness (at best) or actual dishonesty (at worst).

As you may be aware, I am no fan of DNSSEC (to put it mildly) and have  
actively argued caution on spending resources on deploying DNSSEC in  
numerous venues because I felt the cost outweighed the benefits it  
would bring towards ameliorating the risks inherent in the DNS and  
felt those resources would be better applied to things like routing  
security.  I have since changed my mind.  The cost of deploying DNSSEC  
is high, however the risk is greater than I originally estimated,  
hence I believe the benefit is worth the cost.  I still feel  
significant work needs to be done to DNSSEC to make it an effective  
defense, but it is clear to me that it is the right direction to go  
and we should go that direction sooner rather than later.

Others may feel differently.  However, I would not label those  
individuals nor would I accuse them of engaging in some deprecatory  
psychobabble buzzword of the day.  Such labeling and accusations  
needlessly polarize discussions, which I feel does not contribute  
towards forward motion.

But maybe that's just me.

> A hop-by-hop solution of adding more entropy would
> go a long way to addressing this attack.

This particular instantiation of the attack, maybe (how do you protect  
against on-the-datapath spoofing with hop-by-hop entropy addition?).   
However, again, it is treating the symptoms, not the disease.  How  
many times does the DNS community have to be bitten by the same  
fundamental bug before we finally squash that bug?  Do you or Bert or  
any of his <aol>Me too!</aol> supporters think the problem is going to  
get better over time with computers (and hence zombies) and networks  
constantly getting better/faster/more numerous?

> The lack of will I have
> perceived recently in this working group to pursue non-DNSSEC
> solutions frustrates me.

I'm sorry, what lack of will are you talking about?  I seem to recall  
a number of drafts being proposed and discussed that are not DNSSEC- 
related.  Forgery-resilience and dns-0x20 are two examples.  I have  
seen numerous people ask for solutions other than DNSSEC that address  
the fundamental weakness in the DNS. I myself would love to see an  
alternative to the bloated pig of a protocol, yet most of what I have  
seen appears to add even more fragility than DNSSEC and/or doesn't  
address the fundamental problem.

> So I join Bert in asking everyone to keep an open mind, think
>>
> critically and keep engineering.

Suggestions of keeping an open mind and thinking critically should  
also be applied to those who do not want to implement DNSSEC (for  
whatever reason).

Regards,
-drc



--
to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/namedroppers/>