Re: [DNSOP] [dns-operations] dnsop-any-notimp violates the DNS standards

Nicholas Weaver <> Sat, 14 March 2015 19:44 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 2C2291A020D for <>; Sat, 14 Mar 2015 12:44:56 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 7-Dbx55ztZpI for <>; Sat, 14 Mar 2015 12:44:54 -0700 (PDT)
Received: from ( [IPv6:2607:f8b0:400e:c02::236]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 8DE781A0204 for <>; Sat, 14 Mar 2015 12:44:54 -0700 (PDT)
Received: by pdbcz9 with SMTP id cz9so17600166pdb.3 for <>; Sat, 14 Mar 2015 12:44:54 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20120113; h=sender:subject:mime-version:content-type:from:in-reply-to:date:cc :message-id:references:to; bh=KccKC9LO1zRqXjxfYeo3RdycJxvu9A8ZawG2eiIYDnc=; b=ywtQdTB7VGRglhFfMJST2YGNVbawu4XAkPehxMsLYzhbnoxYG/yaZm+JoTRpuzpDjs e6+xPnwEgxdCc4fSs+DBoVQesg0C7I3G+Vx+aj0Ecyzan77L6F2vBI+dK4481pu/r5gi JTBzMEmKu/6k95CxSWKd3Fw5NL6NCSTcNjqNwujoE6FtzoWULFlzCZFsLHS1/caIwNnP spaCEC2kEO8xfOPIKyA50F/CNdlH4VPbSn95UwHYZxRI53osLf4ceDpE9ZJ0kfRIzPbU R54onerRByTA6erca9SCtFxyc4O46PJWGGlUpC3Xplkx3AtC3SwwLCLOeg1enBXLLnpr 70iA==
X-Received: by with SMTP id xc10mr117744666pab.141.1426362294199; Sat, 14 Mar 2015 12:44:54 -0700 (PDT)
Received: from ?IPv6:2601:9:2b80:12f1:15fc:6523:bb2d:5bc7? ([2601:9:2b80:12f1:15fc:6523:bb2d:5bc7]) by with ESMTPSA id d4sm9512701pdm.50.2015. (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Sat, 14 Mar 2015 12:44:52 -0700 (PDT)
Sender: Nicholas Weaver <>
Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2070.6\))
Content-Type: multipart/signed; boundary="Apple-Mail=_4433D9B8-2831-4115-9656-7DBFA72C7C18"; protocol="application/pgp-signature"; micalg="pgp-sha512"
X-Pgp-Agent: GPGMail 2.5b5
From: Nicholas Weaver <>
In-Reply-To: <>
Date: Sat, 14 Mar 2015 12:44:50 -0700
Message-Id: <>
References: <> <> <> <> <> <> <> <>
To: Paul Vixie <>
X-Mailer: Apple Mail (2.2070.6)
Archived-At: <>
Cc: "" <>, Nicholas Weaver <>
Subject: Re: [DNSOP] [dns-operations] dnsop-any-notimp violates the DNS standards
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF DNSOP WG mailing list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Sat, 14 Mar 2015 19:44:56 -0000

> On Mar 13, 2015, at 7:59 PM, Paul Vixie <> wrote:

> >	Nicholas Weaver	Saturday, March 14, 2015 5:07 AM
>>> ...
>>> Overall, unless you are validating on the end host rather than the recursive resolver, DNSSEC does a lot of harm from misconfiguration-DOS, but almost no good.
> several of us jumped for joy in 2008 when kaminsky showed rdns poisoning to be a trivial exercise, because it finally provided justification for what was at that time 12 years of apparently-wasted effort on DNSSEC.

But it didn't justify DNSSEC, even at the time.

Between actually adding in a bit more entropy in the request through 0x20 and port randomization, and more importantly cleaning up the glue policy for recursive resolvers (which Unbound did), you close the door on off-path attackers: both making races harder AND eliminating the "race until win" property.

In fact, several have viewed the glue policy cleanup which gets to the root cause of the Kaminski problem as detrimental specifically because of the desire to force DNSSEC adoption.

> so we'll keep pushing the crap system we have, uphill all the way, noone loving it, and almost everyone in fact hating it. we've now spent more calendar- and person-years on DNSSEC than was spent on the entire IPv4 protocol suite (including DNS itself) as of 1996 when the DNSSEC effort began. ugly, ugly, ugly.

At which point is it sunk cost fallacy?

"DNS is insecure, live with it" may be the best answer.  Why keep throwing good effort after bad?

It certainly is a hell of a lot better than the DOS attack that is recursive resolver validation which provides almost no meaningful security gain.

If I was Comcast, after the HBO DNSSEC mess-up, on top of previous mess-ups where Comcast inevitably gets the blame, I'd be really really tempted to turn OFF DNSSEC validation.  It has failed.

Nicholas Weaver                  it is a tale, told by an idiot,                full of sound and fury,
510-666-2903                                 .signifying nothing