Re: [DNSOP] [Ext] Re: Configured Trust Anchor vs. DS record
Paul Vixie <paul@redbarn.org> Tue, 14 November 2017 04:21 UTC
Return-Path: <paul@redbarn.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 91F94127058 for <dnsop@ietfa.amsl.com>; Mon, 13 Nov 2017 20:21:36 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5vfmIN80V1fg for <dnsop@ietfa.amsl.com>; Mon, 13 Nov 2017 20:21:35 -0800 (PST)
Received: from family.redbarn.org (family.redbarn.org [24.104.150.213]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C4AFB126E64 for <dnsop@ietf.org>; Mon, 13 Nov 2017 20:21:35 -0800 (PST)
Received: from [IPv6:2001:559:8000:c9:2c81:6cd7:5872:4e2f] (unknown [IPv6:2001:559:8000:c9:2c81:6cd7:5872:4e2f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client did not present a certificate) by family.redbarn.org (Postfix) with ESMTPSA id AEBA161FA2; Tue, 14 Nov 2017 04:21:35 +0000 (UTC)
Message-ID: <5A0A6F4E.8050202@redbarn.org>
Date: Mon, 13 Nov 2017 20:21:34 -0800
From: Paul Vixie <paul@redbarn.org>
User-Agent: Postbox 5.0.20 (Windows/20171012)
MIME-Version: 1.0
To: Paul Wouters <paul@nohats.ca>
CC: "dnsop@ietf.org" <dnsop@ietf.org>
References: <5C194845-AB79-47DE-B936-97560D071C5D@icann.org> <b21647d7-a710-e5f7-048f-d90eccc79c0f@nic.cz> <20171109174804.GA63012@isc.org> <3440AE65-DE72-4AAE-8A93-2D698CEF79C4@icann.org> <463C4A1E-D189-4A0D-9814-D215F930B0D4@nohats.ca>
In-Reply-To: <463C4A1E-D189-4A0D-9814-D215F930B0D4@nohats.ca>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/7GgKtxJIe4JPaX1jPTMCCzfJcmM>
Subject: Re: [DNSOP] [Ext] Re: Configured Trust Anchor vs. DS record
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 14 Nov 2017 04:21:36 -0000
Paul Wouters wrote: > >> I'm not sure that the need for robustness outweighs the expectation >> of someone explicitly adding a trust anchor anymore. > > But that’s not your call to make, but the call of the entity deciding > to put in that hard coded trust anchor. > > We just ask you not to block us from doing as we have been doing for > years. +1. all policy is local. >> OTOH, in the sense "I am not sure" there's the example of split-DNS >> and poor query path management (i.e., leaks). I'm not sure if >> robustness helps here, or is a bad-behavior enabler. > > I would like split-DNS to die too but I dont think that’s happening > soon. -1. like NAT, we will have a better internet if we embrace split-DNS rather than wishing it wasn't real or wishing it did not exist. due to network partitions, both permanent and ephemeral, the global or universal namespace should be a last resort, after permitting namespace searches at the host, server, LAN, campus, corporate, league, and regional layers. names at any layer of this hierarchy should be treated as first-class, should be secure, and should be tagged so as to be either re-qualified when carried to higher or lower layers, or marked as unresolvable by those layers. whether DNS can adapt remains to be seen. but declaring working and desired configurations such as split-DNS to be undesireable, or breaking them, or failing to support them, are head-in-sand moves. the internet historically responds to head-in-sand moves by moving on in its own way. -- P Vixie
- Re: [DNSOP] Configured Trust Anchor vs. DS record Petr Špaček
- [DNSOP] Configured Trust Anchor vs. DS record Edward Lewis
- Re: [DNSOP] Configured Trust Anchor vs. DS record Evan Hunt
- Re: [DNSOP] [Ext] Re: Configured Trust Anchor vs.… Edward Lewis
- Re: [DNSOP] [Ext] Re: Configured Trust Anchor vs.… Paul Wouters
- Re: [DNSOP] [Ext] Re: Configured Trust Anchor vs.… Paul Vixie
- Re: [DNSOP] [Ext] Re: Configured Trust Anchor vs.… Paul Wouters
- Re: [DNSOP] [Ext] Re: Configured Trust Anchor vs.… Edward Lewis
- Re: [DNSOP] [Ext] Re: Configured Trust Anchor vs.… Frederico A C Neves
- Re: [DNSOP] [Ext] Re: Configured Trust Anchor vs.… Paul Wouters
- Re: [DNSOP] [Ext] Re: Configured Trust Anchor vs.… Edward Lewis