Re: [dnsext] [spfbis] Obsoleting SPF RRTYPE

["Murray S. Kucherawy" <superuser@gmail.com>]

On Thu, Apr 25, 2013 at 4:28 PM, Doug Barton <dougb@dougbarton.us> wrote:

> Yep, been there, done that. It was a bad decision then, and it's still a
> bad decision now. I realize that it's incredibly unpopular to bluntly call
> bad decisions "bad decisions," but not doing so doesn't make them any less
> bad. And, to make matters worse, not doing so has led to a non-trivial
> number of those bad decisions becoming de facto standards. This has at
> least 2 very bad side effects ... first, we have to live with the bad de
> facto standards; but more importantly we are providing encouragement to
> people who wish to make similar bad decisions down the road.
>
> The argument in 6686 boils down to, "We made a series of bad decisions,
> which have led to a bad result. We now want to codify that bad result
> instead of cleaning up our mess." I don't agree with that in principle, and
> I don't agree with that in regards to this particular case.
>
> Further, while cleaning up the SPF mess would require nothing more than a
> marginal amount of extra work now, plus the passage of time, there is no
> reason not to actually clean up the mess.


I think this continues to trivialize exactly what it means to migrate the
enormous deployed base of SPF in the manner you're pushing. I fully agree
with your premise that it should've been "done right" in the beginning and
I lament that it was not, but I don't agree that fixing this now is worth
moving a mountain, especially when I don't believe the people saying that
here will be among the people doing even a fraction of the moving.

At least half of the reason we landed here is because of an environment
that was basically hostile to doing it right in the first place.  The rules
for getting new RRtypes have been improved -- I think we all agree on that
-- but, as you already conceded, there's still a large deployed base of
faulty firewalls and DNS tools out there that don't exactly make use of
uncommon RRtypes easy.  So how much energy are the DNS experts going to put
into cleaning up their house while demanding the mail people clean up
theirs?  I would even go so far as to say that the DNS part has to happen
first, before any cleanup on the email side is practical to consider.

The deployed SPF base probably won't give a damn if the IETF suddenly
releases an RFC that exclaims "Everybody migrate to type 99!"  From the
perspective of large and small operators around the world, what's out there
is working now, and messing with it is asking for pain; engineers' time to
switch and debug costs a lot of money, so they have no incentive whatsoever
to comply with a proposed change to "fix" a service that is philosophically
broken but operationally just fine.

Thus, I maintain that we take our licks on this one and just take steps to
ensure that nobody follows this path again.

-MSK