IETF Logo Mail Archive

Re: OFFTOPIC: DNSSEC groupthink versus improving DNS

bert hubert <bert.hubert@netherlabs.nl> Thu, 07 August 2008 20:55 UTC

Return-Path: <owner-namedroppers@ops.ietf.org>
X-Original-To: ietfarch-dnsext-archive@core3.amsl.com
Delivered-To: ietfarch-dnsext-archive@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id C277F3A6943; Thu, 7 Aug 2008 13:55:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 1.355
X-Spam-Level: *
X-Spam-Status: No, score=1.355 tagged_above=-999 required=5 tests=[BAYES_20=-0.74, HELO_EQ_NL=0.55, HOST_EQ_NL=1.545]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gvcmgNdmGq3b; Thu, 7 Aug 2008 13:55:47 -0700 (PDT)
Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id BC7B03A6819; Thu, 7 Aug 2008 13:55:47 -0700 (PDT)
Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from <owner-namedroppers@ops.ietf.org>) id 1KRCO6-000Bqq-E3 for namedroppers-data@psg.com; Thu, 07 Aug 2008 20:47:10 +0000
Received: from [2001:888:10:36::2] (helo=adsl-xs4all.ds9a.nl) by psg.com with esmtps (TLSv1:AES256-SHA:256) (Exim 4.69 (FreeBSD)) (envelope-from <ahu@outpost.ds9a.nl>) id 1KRCNz-000Bpr-D3 for namedroppers@ops.ietf.org; Thu, 07 Aug 2008 20:47:08 +0000
Received: from outpost.ds9a.nl ([85.17.220.215] ident=postfix) by adsl-xs4all.ds9a.nl with esmtp (Exim 4.63) (envelope-from <ahu@outpost.ds9a.nl>) id 1KRCNr-0003lI-5W for namedroppers@ops.ietf.org; Thu, 07 Aug 2008 22:46:55 +0200
Received: by outpost.ds9a.nl (Postfix, from userid 1000) id DE8083F6C; Thu, 7 Aug 2008 22:47:08 +0200 (CEST)
Date: Thu, 07 Aug 2008 22:47:08 +0200
From: bert hubert <bert.hubert@netherlabs.nl>
To: Olaf Kolkman <olaf@NLnetLabs.nl>
Cc: Namedroppers <namedroppers@ops.ietf.org>
Subject: Re: OFFTOPIC: DNSSEC groupthink versus improving DNS
Message-ID: <20080807204708.GA27914@outpost.ds9a.nl>
References: <489AD5E3.20708@nlnetlabs.nl> <20080807134236.GA19024@outpost.ds9a.nl> <F153E1C5-6E05-475A-897D-471398D161C9@NLnetLabs.nl>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <F153E1C5-6E05-475A-897D-471398D161C9@NLnetLabs.nl>
User-Agent: Mutt/1.5.9i
Sender: owner-namedroppers@ops.ietf.org
Precedence: bulk
List-ID: <namedroppers.ops.ietf.org>

On Thu, Aug 07, 2008 at 09:02:42PM +0200, Olaf Kolkman wrote:
> Imagine a person that has spend considerable amount of time, money and  
> energy in implementing DNSSEC in servers, tools and libraries; has  
> 'evanginered' DNSSEC for years in a consistently balanced way,  
> recognizing that implementing DNSSEC is far from easy; and has  
> provided multiple pieces of documentation. In other words a person who  
> has put the money where the mouth is.

Olaf - I can imagine only too well. Around 7 years ago I attended a talk by
you where you publicly wondered out loud which problem DNSSEC would solve,
and how it could actually be implemented. I was impressed by your
open-mindedness.

Over the years, I've seen the open mindedness disappear from the community.

As a decade passed away and DNSSEC stil hadn't caught on, self-doubt has
been replaced by the mantra that DNSSEC will soon be deployed, and that it
is ready - when there is much still up in the air.

> How would such person defend against being assessed to suffer from  
> groupthink or tunnelvission?

That is very valid criticism, and I spent quite some time tonight figuring
out what I'm actually hoping to achieve - besides what is described very
well on http://xkcd.com/386/ . 

The main thing I hope is that we won't forget the pre-DNSSEC world. In short
this means committing towards finding a solution in short order that will
address remaining spoofing dangers - 64% chance of success within 24 hours
using reasonable resources. Success in these terms might be "effectively
taking over the root for 100000 people".

I've already seen influential WG members state that we'll have only one
chance to seriously change DNS in the coming decade. And furthermore, that
we should use this one chance for implementing DNSSEC.

In addition, it has been reasoned that implementing DNSSEC is just as hard
or easy as implementing entropy additions.

The upshot of this all is that people are effectively saying they will not
be supporting anything *but* DNSSEC.

And that would be sad, if not dangerous, especially since quite a number of
wise people agree DNSSEC rollout will take years. We don't have years to
address the 64% chance.

> These sort of remarks are not very helpful for constructive  
> engineering and don't help to get the core of your message across:  
> "Keep an open mind in alternative interim(?) approaches and work on  
> making DNSSEC easier to operate"

I'd love to be able to put it less bluntly. What is also not helpful is the
near-religious mantra that DNSSEC is the only solution, a mantra which is
part of an astoundingly large part of recent postings and literature.

So - I apologise for accusing people of something it is hard to defend
against. 

But I sincerely hope we won't let the dream of large-scale DNSSEC deployment
over time stand in the way of doing something now.

	Bert

-- 
http://www.PowerDNS.com      Open source, database driven DNS Software 
http://netherlabs.nl              Open and Closed source services

--
to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/namedroppers/>

v2.23.0 | Report a Bug | By Email