Re: [DNSOP] Current DNS standards, drafts & charter

Paul Vixie <paul@redbarn.org> Tue, 27 March 2018 15:55 UTC

Return-Path: <paul@redbarn.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 403DF12DA72 for <dnsop@ietfa.amsl.com>; Tue, 27 Mar 2018 08:55:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.91
X-Spam-Level:
X-Spam-Status: No, score=-1.91 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IA6JIUfRs1gp for <dnsop@ietfa.amsl.com>; Tue, 27 Mar 2018 08:55:39 -0700 (PDT)
Received: from family.redbarn.org (family.redbarn.org [24.104.150.213]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CCFA612DA6B for <dnsop@ietf.org>; Tue, 27 Mar 2018 08:55:39 -0700 (PDT)
Received: from [IPv6:2001:559:8000:c9:4ca8:bd4c:848b:7427] (unknown [IPv6:2001:559:8000:c9:4ca8:bd4c:848b:7427]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client did not present a certificate) by family.redbarn.org (Postfix) with ESMTPSA id 5B73A7594C; Tue, 27 Mar 2018 15:55:39 +0000 (UTC)
Message-ID: <5ABA6977.4050201@redbarn.org>
Date: Tue, 27 Mar 2018 08:55:35 -0700
From: Paul Vixie <paul@redbarn.org>
User-Agent: Postbox 5.0.24 (Windows/20180302)
MIME-Version: 1.0
To: Paul Wouters <paul@nohats.ca>
CC: dnsop <dnsop@ietf.org>
References: <20180326154645.GB24771@server.ds9a.nl> <5AB91C2B.1050203@redbarn.org> <alpine.LRH.2.21.1803270759250.32312@bofh.nohats.ca>
In-Reply-To: <alpine.LRH.2.21.1803270759250.32312@bofh.nohats.ca>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/MpGK8s0pS8CoCUfXy4uBOU3vOBQ>
Subject: Re: [DNSOP] Current DNS standards, drafts & charter
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 27 Mar 2018 15:55:41 -0000


Paul Wouters wrote:
> On Mon, 26 Mar 2018, Paul Vixie wrote:
>
>> what i'd like is something more. KEY, SIG and NXT had multiple
>> interoperable implementations, but were not actually functional in any
>> end-to-end way, and were thus replaced by RRSIG, DNSKEY, DS, and NSEC.
>> later we moved the target and added NSEC3 and then NSEC3PARAM.
>
> The way I remember this is that while while the KEY/SIG/NXT didn't
> provide the chain of trust, it was otherwise functional and DS could
> have been added here.

the question i'm begging here is why was something RFC'd that could not 
possibly have worked other than on a whiteboard or test lab, not exactly 
which parts could have been kept. we ought to have required a scale 
model of the resulting system -- which would have required a much larger 
test lab -- before we let that draft or any draft move forward.

this would have caught the IP fragmentation design flaw in EDNS, also.

> The desire to only allow DNS to use the KEY record (and exclude IPsec
> keys) was the main drive to rename/renumber these to DNSKEY/RRSIG/NSEC.

according to the records, TCR was nec'y in order to facilitate DS. see:

https://tools.ietf.org/id/draft-weiler-dnsext-dnssec-2535-compat-00.txt

-- 
P Vixie