IETF Logo Mail Archive

Re: [DNSOP] Fwd: New Version Notification for draft-pan-dnsop-swild-rr-type-00.txt

Davey Song <songlinjian@gmail.com> Wed, 16 August 2017 09:35 UTC

Return-Path: <songlinjian@gmail.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B77C4132025 for <dnsop@ietfa.amsl.com>; Wed, 16 Aug 2017 02:35:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.699
X-Spam-Level:
X-Spam-Status: No, score=-2.699 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mqLovmbX-M3u for <dnsop@ietfa.amsl.com>; Wed, 16 Aug 2017 02:35:28 -0700 (PDT)
Received: from mail-vk0-x231.google.com (mail-vk0-x231.google.com [IPv6:2607:f8b0:400c:c05::231]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 55EAD1200B9 for <dnsop@ietf.org>; Wed, 16 Aug 2017 02:35:28 -0700 (PDT)
Received: by mail-vk0-x231.google.com with SMTP id d124so10378590vkf.2 for <dnsop@ietf.org>; Wed, 16 Aug 2017 02:35:28 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=xgQJyD4dsFpHYZI5Jl9J25PwLf8JpETLccejI0gRPfE=; b=DcU8RDbzwtvqvfnVRToGesalqoEh5ZDe2nE3dFh+JCFJF62p7y9pTdRKcjaZ6qPG1J AgnLRL8ead/hvJLOUvKvd8oTS5g0bO4u5omDvzCYULja2/Ha02aKKYvrfL0fh60jV6SJ KLa24WzjByRjMuxqn6JnYGoJkfGnzOEILLOUYJG7+J7Uyho+AjQfFZjh+E1SYfbQ2qWF xwx7k9x7xg7tNhwdmezdypp9BqLmG+vUzqieIOncqDHihjWoiwHhX5j2xtjsnCmnhHXl Ao7pd2jEtXMdEAJOOSCtvi1cw3sSfnf8eLRtAIo4bO/Ez9jxhMofuYkzR4cxnqPJrQKL JW4g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=xgQJyD4dsFpHYZI5Jl9J25PwLf8JpETLccejI0gRPfE=; b=fia+WwezQSfLL5QujAho5kksIAioBRfpjZjO9ChXZTCrFPLeI0HxvbCeKTqkoOse06 bQnsT7j6VgePGXD8pbKKrQDNt0/CqqkQF3DWJZnCmSHj5W5uVk5Lx7bJbDpArukoJtW4 lNpttEhJIwNJ/aIVCVyKC6Nhq31ECkZiNZwRPWvy3gh3BV4ADX1XmE92FXjFrBkHw8UT NWh0NBcrulI1ltztydMswAz5MOWsz3SsZ75SbUbANndP7o8xjKtRBE7kC9KmNEESzSer Wm2rPLUexaxDKkCjUapgi+7JZxvXxhIzq0CdLh+7W5PVy6L1zsqgKMKH2shBfm850YnJ PbGA==
X-Gm-Message-State: AHYfb5jRuQZOiQYVDQd7rPMTB/H49/Owpxz6njW4+cdB+sHPo/Ijc6lr oxduvIcBMD9PO1v9yNJnh3UI8uHqLw==
X-Received: by 10.31.226.1 with SMTP id z1mr666779vkg.65.1502876127470; Wed, 16 Aug 2017 02:35:27 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.176.28.76 with HTTP; Wed, 16 Aug 2017 02:35:26 -0700 (PDT)
In-Reply-To: <20170816064855.GB16977@jurassic>
References: <149908054910.760.8140876567010458934.idtracker@ietfa.amsl.com> <CANLjSvU23OPMM=cETxBiV7j8UhMzMd426VuivxAtboMAB0=7jw@mail.gmail.com> <alpine.DEB.2.11.1707031317070.21595@grey.csi.cam.ac.uk> <CANLjSvXE4q9PSEc4txKM4OPKXVpT38N_PC2-fDHmihpk29ahcw@mail.gmail.com> <1197245d-6b9a-3c3b-82a0-dc6a1cc3de58@nic.cz> <CANLjSvVe99q4vtTW0TRopmQ0s9hC8HdMze5B6COs8Y_3unir5w@mail.gmail.com> <CAAiTEH8ntOerB6MGKMS2xcCK3TL9n4fyLq6F+bpUY6oTUpWN8w@mail.gmail.com> <20170816054539.GA12897@jurassic> <alpine.DEB.2.20.1708160816580.3655@uplift.swm.pp.se> <20170816064855.GB16977@jurassic>
From: Davey Song <songlinjian@gmail.com>
Date: Wed, 16 Aug 2017 17:35:26 +0800
Message-ID: <CAAObRXLtDgor10j9jH6Nq0Bynhe4xJXa2KPsuX6xVhGmTKg2dw@mail.gmail.com>
To: Mukund Sivaraman <muks@isc.org>
Cc: Mikael Abrahamsson <swmike@swm.pp.se>, dnsop <dnsop@ietf.org>
Content-Type: multipart/alternative; boundary="001a114e020cb82bb10556db9d3b"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/FYMbvHw7JfV4FKNPeDijj6hEOYw>
Subject: Re: [DNSOP] Fwd: New Version Notification for draft-pan-dnsop-swild-rr-type-00.txt
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 16 Aug 2017 09:35:31 -0000

Accroding to your description, I feel that IPv6 has better chance to win
than its "brother" DNSSEC. LoL

On 16 August 2017 at 14:48, Mukund Sivaraman <muks@isc.org> wrote:

> On Wed, Aug 16, 2017 at 08:21:37AM +0200, Mikael Abrahamsson wrote:
> > On Wed, 16 Aug 2017, Mukund Sivaraman wrote:
> >
> > > 24 / 500 top domains (4.8%)
> > > 20548 / 1 million top domains (2.05%)
> > >
> > > (12 years after introduction of 403{3,4,5})
> >
> > https://stats.labs.apnic.net/dnssec/XE?o=cXAw1x1g1r1
> >
> > 20% of European users is behind a validating resolver, in some countries
> > it's 70% plus.
> >
> > So this is now happening, albeit at a not high enough pace. But at least
> > it's going in the right direction, and I do believe that there is enough
> > people behind validating resolvers that people can't mess up signing
> their
> > zone and push away blame on who needs to fix things.
> >
> > So at least there is benefit in signing your zone now, there wasn't as
> much
> > before when nobody was validating.
>
> The validating resolver is half of the system.
>
> DNSSEC is brittle. It has an all-or-nothing behavior (that's what it was
> designed for) that many businesses cannot afford to bank on if something
> were to go wrong. An administrative error or signer software bug on the
> authoritative side can take the whole zone down and every service with
> it (as DNS is at the head of network activity). Software is still not
> perfect, so I don't know how this can change - I see practical signer
> bugs still that take down the zone entirely. It's also still painfully
> inconvenient to update parent zones, that makes fixing mishaps
> difficult. The amount of damage that a break in DNSSEC validation chain
> could do is far greater than other implementations of crypto such as TLS
> where it is limited to a service.
>
> (Note that I'm not advocating against DNSSEC, as much as this email may
> sound so. The things I mention are practical issues that I see as an
> implementor.)
>
> A colleague says "If TLD’s allowed UPDATE messages to be processed most
> of the issues with DNSSEC would go away. At the moment we have a whole
> series of kludges because people are scared of signed update messages."
>
>                 Mukund
>
> _______________________________________________
> DNSOP mailing list
> DNSOP@ietf.org
> https://www.ietf.org/mailman/listinfo/dnsop
>

v2.23.0 | Report a Bug | By Email