Re: [DNSOP] DNS versioning, was The DNSOP WG has placed draft-woodworth-bulk-rr in state "Candidate for WG Adoption"

"John R Levine" <johnl@taugh.com> Thu, 20 July 2017 08:33 UTC

Return-Path: <johnl@taugh.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C5BAA131A81 for <dnsop@ietfa.amsl.com>; Thu, 20 Jul 2017 01:33:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Level:
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1536-bit key) header.d=iecc.com header.b=M++pnD0H; dkim=pass (1536-bit key) header.d=taugh.com header.b=uE4HIfCD
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yfMyQwJkP2ok for <dnsop@ietfa.amsl.com>; Thu, 20 Jul 2017 01:33:51 -0700 (PDT)
Received: from miucha.iecc.com (w6.iecc.com [IPv6:2001:470:1f07:1126::4945:4343]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 688511318A0 for <dnsop@ietf.org>; Thu, 20 Jul 2017 01:33:51 -0700 (PDT)
Received: (qmail 93706 invoked from network); 20 Jul 2017 08:33:50 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=simple; d=iecc.com; h=date:message-id:from:to:cc:subject:in-reply-to:references:mime-version:content-type:user-agent; s=16e08.59706aee.k1707; bh=zAatEDnG7vdPqp1yXEz9b7RaP/iUr9o1tAkesA4Q9Ww=; b=M++pnD0HiDUX18ursjHAn2MgGQvchz8VHQ4OzFsiuxPvmXUFt3bsXKtSIphj8ur31F4keLbqotJmp2b2gVa92AXpUCX86lM1CM90hApzjknT0gg+JnlQj74h6w/iE7uy1q/Yd5SJKM3rHzrSQ4vKuT/1keg4Y01lLFb79rHZSsB/E8aqng2G+HpXT7vkmZTtZrlv7kM90hR7KipmzW1YcC4EO7aPOuQV4WRzNLSkSvNqkTdYTJozBba52uwLg1qG
DKIM-Signature: v=1; a=rsa-sha256; c=simple; d=taugh.com; h=date:message-id:from:to:cc:subject:in-reply-to:references:mime-version:content-type:user-agent; s=16e08.59706aee.k1707; bh=zAatEDnG7vdPqp1yXEz9b7RaP/iUr9o1tAkesA4Q9Ww=; b=uE4HIfCDhpuAhUavieKifuXHPDe5taKI2FXhHewu4sRITJnGkZYZBf2RnLwpD/nvP23nO0+8hGr4BgnChup8sr+WyZPUYzghrADdSajLRHndCDitiCBF9I65Po7MJpeDMTnIGBmPjdStwpTTztfu74nLsXd1YNaGd2Hvtxfh2kaQTY9PrWdrKUANvkZmeuBTV88P3GJQhw8uP3UNrwaS6FX92bvD3MPL+RunaMZ3d33Tcd0m5b3NW4DsIzyAwPHS
Received: from localhost ([IPv6:2001:470:1f07:1126::78:696d:6170]) by imap.iecc.com ([IPv6:2001:470:1f07:1126::78:696d:6170]) with ESMTPS (TLS1.2/X.509/AEAD) via TCP6; 20 Jul 2017 08:33:50 -0000
Date: 20 Jul 2017 10:33:48 +0200
Message-ID: <alpine.OSX.2.21.1707200928290.4118@dhcp-8e4c.meeting.ietf.org>
From: "John R Levine" <johnl@taugh.com>
To: "Woodworth, John R" <John.Woodworth@CenturyLink.com>
Cc: "dnsop@ietf.org" <dnsop@ietf.org>, "paul@nohats.ca" <paul@nohats.ca>
In-Reply-To: <A05B583C828C614EBAD1DA920D92866BD081E78B@PODCWMBXEX501.ctl.intranet>
References: <alpine.LRH.2.20.1707190347390.10419@ns0.nohats.ca> <20170719215749.2241.qmail@ary.lan> <A05B583C828C614EBAD1DA920D92866BD081E78B@PODCWMBXEX501.ctl.intranet>
User-Agent: Alpine 2.21 (OSX 202 2017-01-01)
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII; format=flowed
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/5m7vU9UR8QSCVrRQeW7anjUufQ4>
Subject: Re: [DNSOP] DNS versioning, was The DNSOP WG has placed draft-woodworth-bulk-rr in state "Candidate for WG Adoption"
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 20 Jul 2017 08:33:55 -0000

On Thu, 20 Jul 2017, Woodworth, John R wrote:
> Camp#2) Don't break DNS, even for a second

Well, yeah, except that there's no such thing as breaking the DNS for a 
second.  If we look at the history of DNSSEC, we'd break the DNS for 
somewhere between a decade and forever.  We have tried very hard for three 
decades to avoid breaking backward compatibility, and it's hard to believe 
that this is the reason to do it.

> If you choose a secondary, that is unaware of BULK, you will get
> NXDOMAIN's when they are hit.  If BULK makes it into the top-5
> DNS nameserver implementations, it's only a matter of time before
> the next security concern will get the secondary back in sync and
> in the meantime, maybe you can choose a compatible one.

If only it were that simple.  BULK absolutely requires online DNSSEC 
signing, and there is no even halfway standard to distribute signing keys 
to secondary servers.  I think it would be a good thing to figure out how 
to do DNSSEC key distribution, but we are a long way away from that.  I 
think we can assume that "BULK works if you don't sign" is not a winning 
argument.

Without versioning, BULK will be endlessly flaky.  With versioning that 
keeps broken mirrors from serving it, it'd work a lot better.

Regards,
John Levine, johnl@taugh.com, Taughannock Networks, Trumansburg NY
Please consider the environment before reading this e-mail. https://jl.ly