Re: [DNSOP] Fwd: New Version Notification for draft-pan-dnsop-swild-rr-type-00.txt

Mikael Abrahamsson <swmike@swm.pp.se> Wed, 16 August 2017 07:03 UTC

Return-Path: <swmike@swm.pp.se>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4CCDA132397 for <dnsop@ietfa.amsl.com>; Wed, 16 Aug 2017 00:03:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.301
X-Spam-Level:
X-Spam-Status: No, score=-4.301 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=swm.pp.se
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Scp--uHwISHQ for <dnsop@ietfa.amsl.com>; Wed, 16 Aug 2017 00:03:44 -0700 (PDT)
Received: from uplift.swm.pp.se (swm.pp.se [212.247.200.143]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 08729120713 for <dnsop@ietf.org>; Wed, 16 Aug 2017 00:03:44 -0700 (PDT)
Received: by uplift.swm.pp.se (Postfix, from userid 501) id 2D925B0; Wed, 16 Aug 2017 09:03:41 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=swm.pp.se; s=mail; t=1502867021; bh=RdCRBNYmR6+X1WT64acT5LeiUorrOvpKukegPww30ZU=; h=Date:From:To:cc:Subject:In-Reply-To:References:From; b=iVSaVF2BqDkbf78RlwYo5ChwzHOvIj29zlpIE1EokoNm1mOY33IUu26GdDvgnHXys tuO5U3iOToOLNGhfe3wtfzQVtUdgb0SPvAOT8PlKseJ4T2d/6sNdz4z5Nk0Lu+bY5h opvy/jXl/ESEIT9ax5W+QNZwCCRpfde0fOWjzTmQ=
Received: from localhost (localhost [127.0.0.1]) by uplift.swm.pp.se (Postfix) with ESMTP id 2AEE0AF; Wed, 16 Aug 2017 09:03:41 +0200 (CEST)
Date: Wed, 16 Aug 2017 09:03:41 +0200
From: Mikael Abrahamsson <swmike@swm.pp.se>
To: Mukund Sivaraman <muks@isc.org>
cc: dnsop <dnsop@ietf.org>
In-Reply-To: <20170816064855.GB16977@jurassic>
Message-ID: <alpine.DEB.2.20.1708160900530.3655@uplift.swm.pp.se>
References: <149908054910.760.8140876567010458934.idtracker@ietfa.amsl.com> <CANLjSvU23OPMM=cETxBiV7j8UhMzMd426VuivxAtboMAB0=7jw@mail.gmail.com> <alpine.DEB.2.11.1707031317070.21595@grey.csi.cam.ac.uk> <CANLjSvXE4q9PSEc4txKM4OPKXVpT38N_PC2-fDHmihpk29ahcw@mail.gmail.com> <1197245d-6b9a-3c3b-82a0-dc6a1cc3de58@nic.cz> <CANLjSvVe99q4vtTW0TRopmQ0s9hC8HdMze5B6COs8Y_3unir5w@mail.gmail.com> <CAAiTEH8ntOerB6MGKMS2xcCK3TL9n4fyLq6F+bpUY6oTUpWN8w@mail.gmail.com> <20170816054539.GA12897@jurassic> <alpine.DEB.2.20.1708160816580.3655@uplift.swm.pp.se> <20170816064855.GB16977@jurassic>
User-Agent: Alpine 2.20 (DEB 67 2015-01-07)
Organization: People's Front Against WWW
MIME-Version: 1.0
Content-Type: text/plain; charset="US-ASCII"; format="flowed"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/8WrqyGmGT-inzK9w02ApflZL0Yo>
Subject: Re: [DNSOP] Fwd: New Version Notification for draft-pan-dnsop-swild-rr-type-00.txt
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 16 Aug 2017 07:03:46 -0000

On Wed, 16 Aug 2017, Mukund Sivaraman wrote:

>
> The validating resolver is half of the system.
>
> DNSSEC is brittle.

Absolutely. But before we were in a situation where people signed zones, 
screwed it up, and then the (sometime single) ISP running a validating 
resolver got the run-around "must be wrong at your end, nobody else is 
complaining" and the zone signing was never fixed.

Now I think we're past that. There are enough users behind validating 
resolvers nowadays that you can't get away with getting your signing 
wrong and blaming others.

Yes, we need better APIs so applications can tell the user what went 
wrong, instead of just throwing a DNS failure. If there is need to update 
the DNS specs for this to be possible, then that should be done.

-- 
Mikael Abrahamsson    email: swmike@swm.pp.se