IETF Logo Mail Archive

Re: [DNSOP] Privacy and DNSSEC

Paul Vixie <paul@redbarn.org> Wed, 29 April 2020 04:49 UTC

Return-Path: <paul@redbarn.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3F6EF3A003D for <dnsop@ietfa.amsl.com>; Tue, 28 Apr 2020 21:49:56 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nJkzYZosOm1g for <dnsop@ietfa.amsl.com>; Tue, 28 Apr 2020 21:49:52 -0700 (PDT)
Received: from family.redbarn.org (family.redbarn.org [24.104.150.213]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C50DF3A003B for <dnsop@ietf.org>; Tue, 28 Apr 2020 21:49:52 -0700 (PDT)
Received: from linux-9daj.localnet (vixp1.redbarn.org [24.104.150.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by family.redbarn.org (Postfix) with ESMTPSA id 6F148B074A; Wed, 29 Apr 2020 04:49:52 +0000 (UTC)
From: Paul Vixie <paul@redbarn.org>
To: Shumon Huque <shuque@gmail.com>
Cc: "dnsop@ietf.org WG" <dnsop@ietf.org>
Date: Wed, 29 Apr 2020 04:49:51 +0000
Message-ID: <21757930.7KVZAQyxnt@linux-9daj>
Organization: none
In-Reply-To: <CAHPuVdXBaBG27v2hyD1bpp+9YxC5BvTjL5ojqXw7yc17Ufpk7A@mail.gmail.com>
References: <CAHPuVdV9eSCLQOqMF0cq8fHcuSZs7nCgjhHMfMoaV5H=ekbtSA@mail.gmail.com> <18685549.zqRq8fnmLB@linux-9daj> <CAHPuVdXBaBG27v2hyD1bpp+9YxC5BvTjL5ojqXw7yc17Ufpk7A@mail.gmail.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="us-ascii"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/Rty15Pw3JWMWf8WbX7OEUnME_EI>
Subject: Re: [DNSOP] Privacy and DNSSEC
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 29 Apr 2020 04:49:56 -0000

On Wednesday, 29 April 2020 01:17:04 UTC Shumon Huque wrote:
> ...
> 
> Paul - I guess I'm missing some background here. In what sense did
> getting DS working throw validating stubs overboard? Do you mean it
> took the focus away from them?

no. i mean that the decision to require a "clear path" for DNSSEC meant that 
no DNSSEC-dependent application has ever received investment. for example, 
DANE is interesting in the SMTP market because that's small and geeky, but 
will never be adopted by the Web because there are too many endpoints who 
cannot do stub validation and too many who will never be able to.

building a DNSSEC-dependent product or service would be commercial suicide. 
whatever we had to do to prevent this, no matter what the cost, up to and 
including putting keys and signatures into TXT records, would have been more 
in keeping with our own long term rational self interest and the goal of 
DNSSEC ubiquity. if as i expect history passes DNSSEC by other than for DANE/
SMTP and SSHFP and protection of RDNS caches, it will be due to the "clear 
path" design decision.

imagine the WWW launching as it did in the early 1990's but in a way that 
could not work on any desktop whose DNS server was from an earlier era. i hope 
we can agree that it would have failed, and that its failure would have 
inspired something more like the WWW we actually know, which works, and 
worked, everywhere.

-- 
Paul

v2.23.0 | Report a Bug | By Email