Re: [DNSOP] IETF meeting prep and what

Peter van Dijk <> Wed, 30 June 2021 18:59 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id DA3C33A26D7 for <>; Wed, 30 Jun 2021 11:59:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.896
X-Spam-Status: No, score=-1.896 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id cDAYDYtEI6Ra for <>; Wed, 30 Jun 2021 11:59:22 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 71C3E3A26D3 for <>; Wed, 30 Jun 2021 11:59:22 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by (Postfix) with ESMTPSA id 5E1B46A0D4; Wed, 30 Jun 2021 20:59:18 +0200 (CEST)
Received: from plato ([]) by with ESMTPSA id AoUHFga/3GARRQAA3c6Kzw (envelope-from <>); Wed, 30 Jun 2021 20:59:18 +0200
Message-ID: <>
From: Peter van Dijk <>
To: dnsop <>
Date: Wed, 30 Jun 2021 20:59:16 +0200
In-Reply-To: <>
References: <> <>
Organization: PowerDNS.COM B.V.
Content-Type: text/plain; charset="UTF-8"
User-Agent: Evolution 3.30.5-1.1
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Archived-At: <>
Subject: Re: [DNSOP] IETF meeting prep and what
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 30 Jun 2021 18:59:27 -0000

Hello DNSOP,

> I propose replacing rfc5011-security-considerations with a short document deprecating 5011 in its entirety. I am happy to write text for that, if there is an appetite - when the WG queue is small enough!

I see this ruffled some feathers. Here's a more nuanced version.

I feel that 5011, for the purpose of root key rollovers, is the wrong tool, -especially- combined with the trust anchor signaling that various resolver stacks sent to the root. Lack of clarity about where various signals came from, combined with some interesting bugs in implementations, has led to a lot of wild goose chases, and it would not surprise me (but I cannot prove) that bad data is what delayed the first roll for so long. Not actual problems predicted by the data; just bad data. (I have mentioned before that I think the trust anchor signalling was a mistake too, and any calls for 'more of this' are 'calls for more bad data' and we do not need more bad data.)

I feel that the right mechanism for root key distribution is software distributors. This is working fine for the CA system, and with keys announced far enough in advance, should work fine for DNSSEC. Software distributors have solved this problem; they are very good at distributing things; I suggest we let them solve this for us.

rfc5011-security-considerations is a good document, and I apologise for targeting it unfairly - my problem with 5011 is as above. Given my next two point, it probably makes sense to publish rfc5011-security-considerations.

With heaps of 5011 'client' implementations out there, I am in no way proposing that root rolls happen in a way that that software could not follow along. I am only proposing that we write down that 5011 is not the best fit for the problem, and recommend against more client implementations of it *for the purpose of root key rolls*.

I think (can't find it right now) that somebody mentioned that 5011 has its place outside of the root key system, inside enterprises. I'm inclined to disagree, but do not feel entirely capable of judging that. If (again, when there's WG bandwidth) we draft a document about why 5011 is a bad fit for the root, perhaps somebody can contribute text about the level-of-fit for other use cases.

Kind regards,
Peter van Dijk