[DNSOP] Opt-in, zone enumeration and dnsext history

Jim Reid <jim@rfc1035.com> Fri, 10 March 2017 19:53 UTC

Return-Path: <jim@rfc1035.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost []) by ietfa.amsl.com (Postfix) with ESMTP id 65DE51270B4 for <dnsop@ietfa.amsl.com>; Fri, 10 Mar 2017 11:53:48 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id scf_voYuj45L for <dnsop@ietfa.amsl.com>; Fri, 10 Mar 2017 11:53:40 -0800 (PST)
Received: from shaun.rfc1035.com (shaun.rfc1035.com []) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 71AA8126CD8 for <dnsop@ietf.org>; Fri, 10 Mar 2017 11:53:35 -0800 (PST)
Received: from gromit.rfc1035.com (gromit.rfc1035.com []) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by shaun.rfc1035.com (Postfix) with ESMTPSA id 770F8242125A; Fri, 10 Mar 2017 19:53:33 +0000 (UTC)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 9.3 \(3124\))
From: Jim Reid <jim@rfc1035.com>
In-Reply-To: <20170310183026.GM96485@registro.br>
Date: Fri, 10 Mar 2017 19:53:33 +0000
Content-Transfer-Encoding: quoted-printable
Message-Id: <2120F722-E0A2-451B-A15A-49B729E191FB@rfc1035.com>
References: <CAHPuVdXTcSaVcN6fBbPy3e=PgRvg8=GemSN_YFhzX387x8YW-A@mail.gmail.com> <CFBF172D-FDD7-4DE1-B5C5-7C76A7792549@vpnc.org> <A05B583C828C614EBAD1DA920D92866BD06F4468@PODCWMBXEX501.ctl.intranet> <20170310172655.GA92236@isc.org> <CAHw9_i+1TLLAkGP_D23R9kLq+0yacXVz70h1SO6CxZcrL4E+RA@mail.gmail.com> <CAHPuVdWXGLM6JjR3J53X50W4rcTndiw0UJTKWPxe16WR3znM9Q@mail.gmail.com> <20170310183026.GM96485@registro.br>
To: Frederico A C Neves <fneves@registro.br>
X-Mailer: Apple Mail (2.3124)
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/93NJRJYU91YDNi7AjuelEEiKneU>
Cc: IETF dnsop WG <dnsop@ietf.org>
Subject: [DNSOP] Opt-in, zone enumeration and dnsext history
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 10 Mar 2017 19:53:48 -0000

> On 10 Mar 2017, at 18:30, Frederico A C Neves <fneves@registro.br> wrote:
> I know others have already stated this but zone enumeration, at least
> at that time, was never the real reason for NSEC3, size of signing
> zones with mostly unsigned delegations was. This was only needed
> because of the wg lack of management and sensibility to operators
> needs leading to the historical debacle of opt-in.

There’s some selective rewriting of history going on here Fred.

Zone enumeration was an absolute showstopper for a bunch of European ccTLDs. They said they would not deploy DNSSEC-bis under any circumstances. I distinctly remember several conversations with the board and management of Nominet about this, their willingness to spend “whatever it took” to get NSEC3 done, and how long it would take the IETF to finish that new protocol. AFAICT the size of the signed zone or the time it took to sign was not a significant concern for those TLDs.

Opt-in was largely a side issue in the development of DNSSEC-ter, albeit an important one for Verisign.

Roy Arends invented opt-in while DNSSEC-bis was being developed ~15 years ago. [I was his boss at the time and deeply unhappy that opt-in was going to create so much controversy that it would delay completion of DNSSEC-bis for at least a year or two. The company we worked for planned to sell DNS software that supported this new-fangled DNSSEC thing, so there were business drivers to get DNSSEC finalised quickly.] There was a *very* long and tedious argument in dnsext about opt-in. The eventual consensus in the WG was authenticated proof of non-existence mattered. So opt-in for DNSSEC-bis got killed and DNSSEC-bis was finally pushed out the door.

After DNSSEC-bis was done, work began on DNSEC-ter. Opt-in got dug up. Or hadn’t really gone away. By then the WG was long past caring and had no appetite to repeat the same arguments about authenticated proof of non-existence all over again. So opt-in found its way into the DNSEC-ter spec.

Verisign might well have said then that signing .com/.net/.org wouldn’t happen unless they got a protocol than included opt-in. [They may have made (and lost?) the same argument when work DNSSEC-bis was under way.] But that would have been after dnsext had already decided to do DNSSEC-ter and solve the zone enumeration problem that had effectively killed DNSSEC-bis deployment at birth.