IETF Logo Mail Archive

Re: [DNSOP] Is DNSSEC a Best Current Practice?

Colm MacCárthaigh <colm@allcosts.net> Thu, 10 March 2022 20:16 UTC

Return-Path: <colm@allcosts.net>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4BCBD3A1BA6 for <dnsop@ietfa.amsl.com>; Thu, 10 Mar 2022 12:16:44 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.907
X-Spam-Level:
X-Spam-Status: No, score=-1.907 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, SPF_HELO_NONE=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=allcosts-net.20210112.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Qs-SNBHcz-4s for <dnsop@ietfa.amsl.com>; Thu, 10 Mar 2022 12:16:39 -0800 (PST)
Received: from mail-qk1-x72c.google.com (mail-qk1-x72c.google.com [IPv6:2607:f8b0:4864:20::72c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9E1883A1B9E for <dnsop@ietf.org>; Thu, 10 Mar 2022 12:16:39 -0800 (PST)
Received: by mail-qk1-x72c.google.com with SMTP id g8so1833708qke.2 for <dnsop@ietf.org>; Thu, 10 Mar 2022 12:16:39 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=allcosts-net.20210112.gappssmtp.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=GcLaVlZlYOGoEyDhMzZCE/MPi29w8SLtrej/NmeziW8=; b=BuosKtVJSpMMYWTxwVsI1+wvJqmAs+6ejac8pUMj06X+AYp2zSSACxgS7hPIm7ihcf YpJHdk3Q/UppLTCYluHuS5IQcKkwTgN5dArGR3emGKh7qpPfuCPGlxyCVkUuQn1RKeZj lnLtJI4lXf83Iv9OMYR0KibDyxW4h/xqCTBC9qya+v2r5HJXe4eEYCBXJyyXqSR+H7bl yAB/tJGWT9jetYQKkgQX6MsKs/WVVz2BtroGaHAXevZpI60gY8ntjJIMkMRKWKQU1tui C3YKtSDkB+yCNVWX01q0fR8HftkJjzi4WJTkKlbc66BX/dwYiIZ7cgtA8CbIauGMogON fYvg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=GcLaVlZlYOGoEyDhMzZCE/MPi29w8SLtrej/NmeziW8=; b=HZcCURVZEPQ7dBDFmk7jo3GuZsvTvrQCHwr/EmwLaqSkX4FqhSiQ6SiSof3uFQRHtu U69ye0G1JTCMXuBEQPtK3z6ViirUnzfWlFKWQXzU6+we4sW3xzAnxrQw6YKvsGNlK7Tk wYPtY4tbzq3KDpS3s+OCnHf1WNV5C7t27Nq/F7ocICooz0SLwfuIvQv1afbXxMzKm2aM ZMMnVo4kKBoNoARN/cEnExbsxH1UYKBxYksch3guFXC/tSlXiYzdMpd202j+givNBh3t wsnIXrFOM9o5qf4XCJIC1EWFdDIyG85nTiU5yMddMGIv2CO/PnGeU6loihBn3rGFWPW+ Ox4Q==
X-Gm-Message-State: AOAM530qLgHbi3fHmifrwqONS20EiU1BjmezVe1LQUsoGF25u2SuZeBr sOh+15K24HXY8s7rMCNE/lZELwmR2FCZUyHOpMqjWPrGhUwUKg==
X-Google-Smtp-Source: ABdhPJwjnXv5Xbw0FD9ri3Qb56VqomZYtnoIl4zwommdbefexW8CweTbiYyYbC2+aYAfKdDB4DW9fTLJhCjSvYDMW8M=
X-Received: by 2002:a05:620a:458a:b0:67d:7140:5a6d with SMTP id bp10-20020a05620a458a00b0067d71405a6dmr1006590qkb.387.1646943398001; Thu, 10 Mar 2022 12:16:38 -0800 (PST)
MIME-Version: 1.0
References: <88A0AA7A-01B8-4C7E-9A9A-1FB29C9FB18B@icann.org> <98EAB1A0-9746-4BAF-8865-1F28A3CBB6A4@nohats.ca> <198e1c3b-d48f-7cbd-d2d7-b5ba94244968@spamtrap.tnetconsulting.net>
In-Reply-To: <198e1c3b-d48f-7cbd-d2d7-b5ba94244968@spamtrap.tnetconsulting.net>
From: Colm MacCárthaigh <colm@allcosts.net>
Date: Thu, 10 Mar 2022 15:16:27 -0500
Message-ID: <CAAF6GDdeY36AUkr4zHbwzEF0WsVXUfTfps1stBCyS55OmL0NrQ@mail.gmail.com>
To: Grant Taylor <gtaylor=40tnetconsulting.net@dmarc.ietf.org>
Cc: dnsop@ietf.org
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/7NM8dUIU-WtXRthdsrUCPOylqMk>
Subject: Re: [DNSOP] Is DNSSEC a Best Current Practice?
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 10 Mar 2022 20:16:44 -0000

On Thu, Mar 10, 2022 at 2:59 PM Grant Taylor
<gtaylor=40tnetconsulting.net@dmarc.ietf.org> wrote:
> Aside:  Maybe it's just me, but I feel like there is more perceived
> value in clarifying existing documentation, in the hopes that others
> will be more likely to adopt current best practices, than there is in
> updating things.  Dare I say it, but I feel some urgency to do this.

I think a single BCP doc is a good idea, but here I'd actually go much
further and argue for a significant section in the BCP that
acknowledges that it is also a best current practice not to enable
DNSSEC. That is objectively the most common practice, and it is very
often intentional. I think there's a way to frame it and lay out the
intrinsic trade-offs between internet stability risks and the security
benefits. That framing actually underscores the importance and urgency
of all the best practices that can mitigate the stability risks and
enhance the security. That might more effectively persuade DNSSEC
skeptics. Absent a big change in adoption, a BCP could otherwise seem
quite disconnected from reality (TLD-scale outages, stale
cryptography) and tone-deaf to the skepticism that's out there. "We
hear you" is powerful.

-- 
Colm

v2.23.0 | Report a Bug | By Email