Re: [DNSOP] Is DNSSEC a Best Current Practice?
Colm MacCárthaigh <colm@allcosts.net> Thu, 10 March 2022 20:16 UTC
Return-Path: <colm@allcosts.net>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4BCBD3A1BA6 for <dnsop@ietfa.amsl.com>; Thu, 10 Mar 2022 12:16:44 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.907
X-Spam-Level:
X-Spam-Status: No, score=-1.907 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, SPF_HELO_NONE=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=allcosts-net.20210112.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Qs-SNBHcz-4s for <dnsop@ietfa.amsl.com>; Thu, 10 Mar 2022 12:16:39 -0800 (PST)
Received: from mail-qk1-x72c.google.com (mail-qk1-x72c.google.com [IPv6:2607:f8b0:4864:20::72c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9E1883A1B9E for <dnsop@ietf.org>; Thu, 10 Mar 2022 12:16:39 -0800 (PST)
Received: by mail-qk1-x72c.google.com with SMTP id g8so1833708qke.2 for <dnsop@ietf.org>; Thu, 10 Mar 2022 12:16:39 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=allcosts-net.20210112.gappssmtp.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=GcLaVlZlYOGoEyDhMzZCE/MPi29w8SLtrej/NmeziW8=; b=BuosKtVJSpMMYWTxwVsI1+wvJqmAs+6ejac8pUMj06X+AYp2zSSACxgS7hPIm7ihcf YpJHdk3Q/UppLTCYluHuS5IQcKkwTgN5dArGR3emGKh7qpPfuCPGlxyCVkUuQn1RKeZj lnLtJI4lXf83Iv9OMYR0KibDyxW4h/xqCTBC9qya+v2r5HJXe4eEYCBXJyyXqSR+H7bl yAB/tJGWT9jetYQKkgQX6MsKs/WVVz2BtroGaHAXevZpI60gY8ntjJIMkMRKWKQU1tui C3YKtSDkB+yCNVWX01q0fR8HftkJjzi4WJTkKlbc66BX/dwYiIZ7cgtA8CbIauGMogON fYvg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=GcLaVlZlYOGoEyDhMzZCE/MPi29w8SLtrej/NmeziW8=; b=HZcCURVZEPQ7dBDFmk7jo3GuZsvTvrQCHwr/EmwLaqSkX4FqhSiQ6SiSof3uFQRHtu U69ye0G1JTCMXuBEQPtK3z6ViirUnzfWlFKWQXzU6+we4sW3xzAnxrQw6YKvsGNlK7Tk wYPtY4tbzq3KDpS3s+OCnHf1WNV5C7t27Nq/F7ocICooz0SLwfuIvQv1afbXxMzKm2aM ZMMnVo4kKBoNoARN/cEnExbsxH1UYKBxYksch3guFXC/tSlXiYzdMpd202j+givNBh3t wsnIXrFOM9o5qf4XCJIC1EWFdDIyG85nTiU5yMddMGIv2CO/PnGeU6loihBn3rGFWPW+ Ox4Q==
X-Gm-Message-State: AOAM530qLgHbi3fHmifrwqONS20EiU1BjmezVe1LQUsoGF25u2SuZeBr sOh+15K24HXY8s7rMCNE/lZELwmR2FCZUyHOpMqjWPrGhUwUKg==
X-Google-Smtp-Source: ABdhPJwjnXv5Xbw0FD9ri3Qb56VqomZYtnoIl4zwommdbefexW8CweTbiYyYbC2+aYAfKdDB4DW9fTLJhCjSvYDMW8M=
X-Received: by 2002:a05:620a:458a:b0:67d:7140:5a6d with SMTP id bp10-20020a05620a458a00b0067d71405a6dmr1006590qkb.387.1646943398001; Thu, 10 Mar 2022 12:16:38 -0800 (PST)
MIME-Version: 1.0
References: <88A0AA7A-01B8-4C7E-9A9A-1FB29C9FB18B@icann.org> <98EAB1A0-9746-4BAF-8865-1F28A3CBB6A4@nohats.ca> <198e1c3b-d48f-7cbd-d2d7-b5ba94244968@spamtrap.tnetconsulting.net>
In-Reply-To: <198e1c3b-d48f-7cbd-d2d7-b5ba94244968@spamtrap.tnetconsulting.net>
From: Colm MacCárthaigh <colm@allcosts.net>
Date: Thu, 10 Mar 2022 15:16:27 -0500
Message-ID: <CAAF6GDdeY36AUkr4zHbwzEF0WsVXUfTfps1stBCyS55OmL0NrQ@mail.gmail.com>
To: Grant Taylor <gtaylor=40tnetconsulting.net@dmarc.ietf.org>
Cc: dnsop@ietf.org
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/7NM8dUIU-WtXRthdsrUCPOylqMk>
Subject: Re: [DNSOP] Is DNSSEC a Best Current Practice?
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 10 Mar 2022 20:16:44 -0000
On Thu, Mar 10, 2022 at 2:59 PM Grant Taylor <gtaylor=40tnetconsulting.net@dmarc.ietf.org> wrote: > Aside: Maybe it's just me, but I feel like there is more perceived > value in clarifying existing documentation, in the hopes that others > will be more likely to adopt current best practices, than there is in > updating things. Dare I say it, but I feel some urgency to do this. I think a single BCP doc is a good idea, but here I'd actually go much further and argue for a significant section in the BCP that acknowledges that it is also a best current practice not to enable DNSSEC. That is objectively the most common practice, and it is very often intentional. I think there's a way to frame it and lay out the intrinsic trade-offs between internet stability risks and the security benefits. That framing actually underscores the importance and urgency of all the best practices that can mitigate the stability risks and enhance the security. That might more effectively persuade DNSSEC skeptics. Absent a big change in adoption, a BCP could otherwise seem quite disconnected from reality (TLD-scale outages, stale cryptography) and tone-deaf to the skepticism that's out there. "We hear you" is powerful. -- Colm
- [DNSOP] Is DNSSEC a Best Current Practice? Paul Hoffman
- Re: [DNSOP] Is DNSSEC a Best Current Practice? Paul Wouters
- Re: [DNSOP] Is DNSSEC a Best Current Practice? Tim Wicinski
- Re: [DNSOP] Is DNSSEC a Best Current Practice? Stephen Farrell
- Re: [DNSOP] Is DNSSEC a Best Current Practice? Bill Woodcock
- Re: [DNSOP] Is DNSSEC a Best Current Practice? Grant Taylor
- Re: [DNSOP] Is DNSSEC a Best Current Practice? Colm MacCárthaigh
- Re: [DNSOP] Is DNSSEC a Best Current Practice? Livingood, Jason
- Re: [DNSOP] Is DNSSEC a Best Current Practice? Grant Taylor
- Re: [DNSOP] Is DNSSEC a Best Current Practice? Yasuhiro Orange Morishita / 森下泰宏
- Re: [DNSOP] Is DNSSEC a Best Current Practice? Tim Wicinski
- Re: [DNSOP] Is DNSSEC a Best Current Practice? Paul Vixie
- Re: [DNSOP] Is DNSSEC a Best Current Practice? Mukund Sivaraman
- Re: [DNSOP] Is DNSSEC a Best Current Practice? Tim Wicinski
- Re: [DNSOP] Is DNSSEC a Best Current Practice? Masataka Ohta
- Re: [DNSOP] Is DNSSEC a Best Current Practice? Viktor Dukhovni
- [DNSOP] DNSSEC as a Best Current Practice Paul Hoffman
- Re: [DNSOP] DNSSEC as a Best Current Practice Masataka Ohta
- Re: [DNSOP] DNSSEC as a Best Current Practice Paul Wouters
- Re: [DNSOP] DNSSEC as a Best Current Practice Masataka Ohta
- Re: [DNSOP] DNSSEC as a Best Current Practice Ted Lemon
- Re: [DNSOP] DNSSEC as a Best Current Practice Paul Wouters
- Re: [DNSOP] DNSSEC as a Best Current Practice Paul Wouters
- Re: [DNSOP] DNSSEC as a Best Current Practice Masataka Ohta
- Re: [DNSOP] DNSSEC as a Best Current Practice Masataka Ohta
- Re: [DNSOP] DNSSEC as a Best Current Practice Ted Lemon
- Re: [DNSOP] DNSSEC as a Best Current Practice Masataka Ohta
- Re: [DNSOP] DNSSEC as a Best Current Practice Paul Wouters
- Re: [DNSOP] DNSSEC as a Best Current Practice Masataka Ohta
- Re: [DNSOP] DNSSEC as a Best Current Practice Jim Reid
- Re: [DNSOP] DNSSEC as a Best Current Practice Masataka Ohta
- Re: [DNSOP] DNSSEC as a Best Current Practice Paul Wouters
- Re: [DNSOP] DNSSEC as a Best Current Practice Masataka Ohta
- Re: [DNSOP] DNSSEC as a Best Current Practice Masataka Ohta
- Re: [DNSOP] DNSSEC as a Best Current Practice Jim Reid
- Re: [DNSOP] DNSSEC as a Best Current Practice Masataka Ohta
- Re: [DNSOP] DNSSEC as a Best Current Practice David Conrad
- Re: [DNSOP] DNSSEC as a Best Current Practice Brian Dickson
- Re: [DNSOP] DNSSEC as a Best Current Practice Masataka Ohta
- Re: [DNSOP] DNSSEC as a Best Current Practice Bjørn Mork
- Re: [DNSOP] DNSSEC as a Best Current Practice Masataka Ohta
- Re: [DNSOP] DNSSEC as a Best Current Practice Bjørn Mork
- Re: [DNSOP] DNSSEC as a Best Current Practice Joe Abley
- Re: [DNSOP] DNSSEC as a Best Current Practice Masataka Ohta
- Re: [DNSOP] DNSSEC as a Best Current Practice Masataka Ohta
- Re: [DNSOP] DNSSEC as a Best Current Practice Paul Wouters
- Re: [DNSOP] DNSSEC as a Best Current Practice Masataka Ohta
- Re: [DNSOP] [Ext] DNSSEC as a Best Current Practi… Paul Hoffman
- Re: [DNSOP] DNSSEC as a Best Current Practice Brian Dickson
- Re: [DNSOP] DNSSEC as a Best Current Practice Ted Lemon
- Re: [DNSOP] [Ext] DNSSEC as a Best Current Practi… Masataka Ohta
- Re: [DNSOP] DNSSEC as a Best Current Practice Masataka Ohta
- Re: [DNSOP] DNSSEC as a Best Current Practice Masataka Ohta
- Re: [DNSOP] DNSSEC as a Best Current Practice Paul Wouters
- Re: [DNSOP] DNSSEC as a Best Current Practice Masataka Ohta
- Re: [DNSOP] DNSSEC as a Best Current Practice Dr Eberhard W Lisse
- Re: [DNSOP] DNSSEC as a Best Current Practice Masataka Ohta
- Re: [DNSOP] DNSSEC as a Best Current Practice Dr Eberhard W Lisse
- Re: [DNSOP] DNSSEC as a Best Current Practice Masataka Ohta
- Re: [DNSOP] DNSSEC as a Best Current Practice Ted Lemon
- Re: [DNSOP] DNSSEC as a Best Current Practice Masataka Ohta
- Re: [DNSOP] DNSSEC as a Best Current Practice Paul Vixie
- Re: [DNSOP] DNSSEC as a Best Current Practice Masataka Ohta
- Re: [DNSOP] DNSSEC as a Best Current Practice Masataka Ohta
- Re: [DNSOP] DNSSEC as a Best Current Practice Masataka Ohta
- Re: [DNSOP] DNSSEC as a Best Current Practice Paul Wouters
- Re: [DNSOP] DNSSEC as a Best Current Practice Masataka Ohta
- Re: [DNSOP] DNSSEC as a Best Current Practice Bjørn Mork
- Re: [DNSOP] DNSSEC as a Best Current Practice Brian Dickson
- Re: [DNSOP] DNSSEC as a Best Current Practice Masataka Ohta
- Re: [DNSOP] DNSSEC as a Best Current Practice Masataka Ohta
- Re: [DNSOP] [Ext] DNSSEC as a Best Current Practi… Paul Hoffman
- Re: [DNSOP] DNSSEC as a Best Current Practice Paul Wouters
- Re: [DNSOP] [Ext] DNSSEC as a Best Current Practi… Masataka Ohta
- Re: [DNSOP] [Ext] DNSSEC as a Best Current Practi… Jerry Lundström
- Re: [DNSOP] DNSSEC as a Best Current Practice Masataka Ohta
- Re: [DNSOP] DNSSEC as a Best Current Practice Masataka Ohta
- Re: [DNSOP] DNSSEC as a Best Current Practice Paul Wouters
- Re: [DNSOP] [Ext] DNSSEC as a Best Current Practi… Jim Reid
- Re: [DNSOP] DNSSEC as a Best Current Practice Masataka Ohta
- Re: [DNSOP] DNSSEC as a Best Current Practice james
- Re: [DNSOP] DNSSEC as a Best Current Practice Paul Wouters
- Re: [DNSOP] DNSSEC as a Best Current Practice Tim Wicinski
- Re: [DNSOP] DNSSEC as a Best Current Practice Mukund Sivaraman
- Re: [DNSOP] DNSSEC as a Best Current Practice Masataka Ohta