Re: [DNSOP] [Ext] Re: Configured Trust Anchor vs. DS record

Edward Lewis <> Tue, 14 November 2017 14:44 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 453FE126C0F for <>; Tue, 14 Nov 2017 06:44:49 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -4.2
X-Spam-Status: No, score=-4.2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, MIME_QP_LONG_LINE=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id LcgNFvtLQ7Ca for <>; Tue, 14 Nov 2017 06:44:47 -0800 (PST)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id B319712426E for <>; Tue, 14 Nov 2017 06:44:47 -0800 (PST)
Received: from ( by ( with Microsoft SMTP Server (TLS) id 15.0.1178.4; Tue, 14 Nov 2017 06:44:45 -0800
Received: from ([]) by PMBX112-W1-CA-1.PEXCH112.ICANN.ORG ([]) with mapi id 15.00.1178.000; Tue, 14 Nov 2017 06:44:45 -0800
From: Edward Lewis <>
To: Paul Wouters <>
CC: Evan Hunt <>, "" <>, Petr Špaček <>
Thread-Topic: [DNSOP] [Ext] Re: Configured Trust Anchor vs. DS record
Thread-Index: AQHTXO52tQkp3dARdE2OI0U03tcjj6MUencA
Date: Tue, 14 Nov 2017 14:44:45 +0000
Message-ID: <>
References: <> <> <> <> <>
In-Reply-To: <>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
user-agent: Microsoft-MacOutlook/f.27.0.171010
x-ms-exchange-messagesentrepresentingtype: 1
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: []
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha1"; boundary="B_3593497484_1473080730"
MIME-Version: 1.0
Archived-At: <>
Subject: Re: [DNSOP] [Ext] Re: Configured Trust Anchor vs. DS record
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF DNSOP WG mailing list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 14 Nov 2017 14:44:49 -0000

On 11/13/17, 21:15, "DNSOP on behalf of Paul Wouters" < on behalf of> wrote:

>> I'm not sure that the need for robustness outweighs the expectation of someone explicitly adding a trust anchor anymore.

>But that’s not your call to make, but the call of the entity deciding to put in that hard-coded trust anchor.

To clarify, the "robustness" was the goal of the protocol design leading up to the 2004 publication of the current DNSSEC definition, it's not a call anyone is making now.

The goals of robustness, local policy, and other factors fed into the current design.  How these, sometimes conflicting, objectives were weighted was subjective and with more 20/20 hindsight, perhaps the weightings were wrong.
>We just ask you not to block us from doing as we have been doing for years.

I don't know how to take this - what's being discussed is the way the protocol was designed in the past versus how implementations have chosen to go.  In the spirit of code trumps spec, then specifications need to catch up if there's a deviation.

>I would like split-DNS to die too but I dont think that’s happening soon.

Arguing split-DNS would be another thread, I want to clarify that the "too" in your quote shouldn't implicate anything I've said about split-DNS meaning I wished it to "go away". (I.e., I see split-DNS as a reality.)