Re: [DNSOP] [dns-operations] dnsop-any-notimp violates the DNS standards

Paul Wouters <paul@nohats.ca> Fri, 13 March 2015 17:54 UTC

Return-Path: <paul@nohats.ca>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B4B2F1A0194 for <dnsop@ietfa.amsl.com>; Fri, 13 Mar 2015 10:54:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.01
X-Spam-Level:
X-Spam-Status: No, score=-2.01 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DUcftv9yayp2 for <dnsop@ietfa.amsl.com>; Fri, 13 Mar 2015 10:54:31 -0700 (PDT)
Received: from mx.nohats.ca (mx.nohats.ca [193.110.157.68]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DAD991A0174 for <dnsop@ietf.org>; Fri, 13 Mar 2015 10:54:30 -0700 (PDT)
Received: from localhost (localhost [IPv6:::1]) by mx.nohats.ca (Postfix) with ESMTP id 3l3ZR76m4Nz26t; Fri, 13 Mar 2015 18:54:27 +0100 (CET)
Authentication-Results: mx.nohats.ca; dkim=pass reason="1024-bit key; unprotected key" header.d=nohats.ca header.i=@nohats.ca header.b=FehwA8AO; dkim-adsp=pass
X-OPENPGPKEY: Message passed unmodified
X-Virus-Scanned: amavisd-new at mx.nohats.ca
Received: from mx.nohats.ca ([IPv6:::1]) by localhost (mx.nohats.ca [IPv6:::1]) (amavisd-new, port 10024) with ESMTP id Za2KMkTIDNLv; Fri, 13 Mar 2015 18:54:27 +0100 (CET)
Received: from bofh.nohats.ca (206-248-139-105.dsl.teksavvy.com [206.248.139.105]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx.nohats.ca (Postfix) with ESMTPS; Fri, 13 Mar 2015 18:54:27 +0100 (CET)
Received: from bofh.nohats.ca (bofh.nohats.ca [127.0.0.1]) by bofh.nohats.ca (Postfix) with ESMTP id 51C80803E0; Fri, 13 Mar 2015 13:54:26 -0400 (EDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nohats.ca; s=default; t=1426269266; bh=Klg12ez15MZYj7+Ra6QoBrngzv7LargEhhHzWRxZMgI=; h=Date:From:To:cc:Subject:In-Reply-To:References; b=FehwA8AOdKMpdEMDnTgll7/wHl2viosahq526EHPWDRGvg6u7YRZ8LiimO35vONQt XKThcyI735VpzMc5DbeO7mEGbOkjYrNv3nOTluPNHEEYFDK5uNAcDpx/Y+McNxgoJX jDVBQCIF4sutFl5TG38Z0SqNyZ/6ZC46nne64e2c=
Received: from localhost (paul@localhost) by bofh.nohats.ca (8.14.7/8.14.7/Submit) with ESMTP id t2DHsPK4001568; Fri, 13 Mar 2015 13:54:25 -0400
X-Authentication-Warning: bofh.nohats.ca: paul owned process doing -bs
Date: Fri, 13 Mar 2015 13:54:25 -0400 (EDT)
From: Paul Wouters <paul@nohats.ca>
To: Morizot Timothy S <Timothy.S.Morizot@irs.gov>
In-Reply-To: <968C470DAC25FB419E0159952F28F0C06DF659F0@MEM0200CP3XF04.ds.irsnet.gov>
Message-ID: <alpine.LFD.2.10.1503131342460.22027@bofh.nohats.ca>
References: <20150312125913.20188.qmail@cr.yp.to> <3D558422-D5DA-4434-BDED-E752BA353358@flame.org> <m27fulry37.wl%randy@psg.com> <55030A28.8050707@necom830.hpcl.titech.ac.jp> <5503101F.9060205@redbarn.org> <968C470DAC25FB419E0159952F28F0C06DF659F0@MEM0200CP3XF04.ds.irsnet.gov>
User-Agent: Alpine 2.10 (LFD 1266 2009-07-14)
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed
Archived-At: <http://mailarchive.ietf.org/arch/msg/dnsop/YxW6Gg7GSprUkohI2tMfEPomB6A>
Cc: "dnsop@ietf.org" <dnsop@ietf.org>
Subject: Re: [DNSOP] [dns-operations] dnsop-any-notimp violates the DNS standards
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 13 Mar 2015 17:54:32 -0000

On Fri, 13 Mar 2015, Paul Vixie or Morizot Timothy S wrote:

[not sure of the quoting in this message]

> DNSSEC is [...] even less finished and less deployed than IPv6.

I have to disagree with this continued claim by opponents of DNSSEC
that it is not widely deployed. The fact that Apple had an outage that
was caused by DNSSEC actually shows it has been deployed widely! All of
Google DNS and Comcast clients were affected! That's probably more than
all IPv6 users.

Also, while the DNSSEC opponents screamed (well, tweeted)  murder and
called for throwing out DNSSEC, when the next day all the online Apple
Stores were down because of Apple's "internal DNS error", those DNSSEC
opponents were very quiet and not screaming to rip DNS out of the
internet :P

> then what we know now we'd've scrapped DNS itself and started from scratch just to avoid the
> compromises we've made.

And we would not be able to avoid some of the same issues. For example,
any newly made solution would have the same choice of deciding in the
browser to soft fail or hard fail (or do a pop-up). People now complain
about the "hard fail" nature of DNSSEC in browsers, but DNSSEC has
actually been designed to allow a soft fail. All the browsers need to
do in resposne to a ServFail is to re-issue the query with the CD bit
set and if they receive an answer on the second go, pop-up to the user
for an override.

Paul