Re: [DNSOP] Last Call: <draft-ietf-dnsop-obsolete-dlv-00.txt> (Moving DNSSEC Lookaside Validation (DLV) to Historic Status) to Informational RFC

Randy Bush <randy@psg.com> Thu, 05 September 2019 21:46 UTC

Return-Path: <randy@psg.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4237312018B; Thu, 5 Sep 2019 14:46:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.9
X-Spam-Level:
X-Spam-Status: No, score=-6.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id V-G9Q4PVLIvJ; Thu, 5 Sep 2019 14:46:15 -0700 (PDT)
Received: from ran.psg.com (ran.psg.com [IPv6:2001:418:8006::18]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A1B0B120232; Thu, 5 Sep 2019 14:46:15 -0700 (PDT)
Received: from localhost ([127.0.0.1] helo=ryuu.rg.net) by ran.psg.com with esmtp (Exim 4.90_1) (envelope-from <randy@psg.com>) id 1i5za1-00066t-Ht; Thu, 05 Sep 2019 21:46:13 +0000
Date: Thu, 05 Sep 2019 14:46:12 -0700
Message-ID: <m2imq68li3.wl-randy@psg.com>
From: Randy Bush <randy@psg.com>
To: Michael Sinatra <michael@brokendns.net>
Cc: dnsop@ietf.org, draft-ietf-dnsop-obsolete-dlv@ietf.org, dnsop-chairs@ietf.org, IETF Rinse Repeat <ietf@ietf.org>
In-Reply-To: <9131d5a0-89a9-7972-89bc-0c5dbc52aaa1@brokendns.net>
References: <156764055661.22821.274141071401649127.idtracker@ietfa.amsl.com> <m2pnke8pm2.wl-randy@psg.com> <AB75CAA6-E780-4F45-A3E8-C435497B4942@nohats.ca> <2625858.BhlKzlQLXd@linux-9daj> <9131d5a0-89a9-7972-89bc-0c5dbc52aaa1@brokendns.net>
User-Agent: Wanderlust/2.15.9 (Almost Unreal) Emacs/26.2 Mule/6.0 (HANACHIRUSATO)
MIME-Version: 1.0 (generated by SEMI-EPG 1.14.7 - "Harue")
Content-Type: text/plain; charset=US-ASCII
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/7mHrvoNtNM0zLGsnfD7p_Cj6GPc>
Subject: Re: [DNSOP] Last Call: <draft-ietf-dnsop-obsolete-dlv-00.txt> (Moving DNSSEC Lookaside Validation (DLV) to Historic Status) to Informational RFC
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 05 Sep 2019 21:46:17 -0000

> I remember scaring a bunch of people at a NANOG meeting by suggesting
> that we should have an alternate method of establishing trust, and
> that method should be non-hierarchical (or perhaps
> "counter-hierarchical"). I believe I used "DLV-like" to describe it
> and I remember the reactions I got (esp from Randy).  My goal was to
> mitigate risk from anything that might cause the root KSK to become
> bolloxed, like a botched key roll.

you misunderstood me.

dlv had no particular trust model.  i was and remain a web of trust
heritic as far as net ops is concerned.  it's the way operators actually
work.  if you and cat, who i know, trust brielle, i'll trust her, though
not necessarily her friends.

lack of an inter-operator trust model is why slurm is not usable other
than in one's own net.  it is droll that lta-use touches this but got
enough pushback from a sec ad that i have not had the time to educate.

i was also not successful pushing wot in the rpki-based routing security
development cabal.  essentially, the ietf's total focus on the x.509
based pki hierarchy meant wot went for decades with no energy behind
analysis, design, development, etc.; starved from birth.

randy