Re: [DNSOP] [Ext] Re: Configured Trust Anchor vs. DS record

Paul Vixie <> Tue, 14 November 2017 04:21 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 91F94127058 for <>; Mon, 13 Nov 2017 20:21:36 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 5vfmIN80V1fg for <>; Mon, 13 Nov 2017 20:21:35 -0800 (PST)
Received: from ( []) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id C4AFB126E64 for <>; Mon, 13 Nov 2017 20:21:35 -0800 (PST)
Received: from [IPv6:2001:559:8000:c9:2c81:6cd7:5872:4e2f] (unknown [IPv6:2001:559:8000:c9:2c81:6cd7:5872:4e2f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client did not present a certificate) by (Postfix) with ESMTPSA id AEBA161FA2; Tue, 14 Nov 2017 04:21:35 +0000 (UTC)
Message-ID: <>
Date: Mon, 13 Nov 2017 20:21:34 -0800
From: Paul Vixie <>
User-Agent: Postbox 5.0.20 (Windows/20171012)
MIME-Version: 1.0
To: Paul Wouters <>
CC: "" <>
References: <> <> <> <> <>
In-Reply-To: <>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 8bit
Archived-At: <>
Subject: Re: [DNSOP] [Ext] Re: Configured Trust Anchor vs. DS record
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF DNSOP WG mailing list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 14 Nov 2017 04:21:36 -0000

Paul Wouters wrote:
>> I'm not sure that the need for robustness outweighs the expectation
>> of someone explicitly adding a trust anchor anymore.
> But that’s not your call to make, but the call of the entity deciding
> to put in that hard coded trust anchor.
> We just ask you not to block us from doing as we have been doing for
> years.

+1. all policy is local.

>> OTOH, in the sense "I am not sure" there's the example of split-DNS
>> and poor query path management (i.e., leaks).  I'm not sure if
>> robustness helps here, or is a bad-behavior enabler.
> I would like split-DNS to die too but I dont think that’s happening
> soon.

-1. like NAT, we will have a better internet if we embrace split-DNS 
rather than wishing it wasn't real or wishing it did not exist.

due to network partitions, both permanent and ephemeral, the global or 
universal namespace should be a last resort, after permitting namespace 
searches at the host, server, LAN, campus, corporate, league, and 
regional layers. names at any layer of this hierarchy should be treated 
as first-class, should be secure, and should be tagged so as to be 
either re-qualified when carried to higher or lower layers, or marked as 
unresolvable by those layers.

whether DNS can adapt remains to be seen. but declaring working and 
desired configurations such as split-DNS to be undesireable, or breaking 
them, or failing to support them, are head-in-sand moves. the internet 
historically responds to head-in-sand moves by moving on in its own way.

P Vixie