Re: [DNSOP] Questions on draft-ietf-dnsop-delegation-only

Paul Wouters <> Thu, 30 July 2020 21:10 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id E642A3A0CCF for <>; Thu, 30 Jul 2020 14:10:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id e4coqxPX713g for <>; Thu, 30 Jul 2020 14:10:35 -0700 (PDT)
Received: from ( [IPv6:2a03:6000:1004:1::68]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id EE3383A0CCB for <>; Thu, 30 Jul 2020 14:10:34 -0700 (PDT)
Received: from localhost (localhost [IPv6:::1]) by (Postfix) with ESMTP id 4BHjk10NdVz9Y8; Thu, 30 Jul 2020 23:10:33 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=default; t=1596143433; bh=jNNm7Mu6bG1TjayCT29noyrKi4zXvWbUjRpZTfcYObg=; h=Date:From:To:cc:Subject:In-Reply-To:References; b=BCzMwz4cryMaMxOm/XC4pVpD4Gyo9JwQp4ifMjtHk12irFn9kpLGTwnpT52NtX4LM 1y/xQtRUpYLudBWahAr3i1jmaQkjsylNy9GQVo4KjKARb2J0AyqkFVP+Q8GgqowgTI IT1oLma40DtCX18J/E3kP3X0q/2APimao3ol8nzw=
X-Virus-Scanned: amavisd-new at
Received: from ([IPv6:::1]) by localhost ( [IPv6:::1]) (amavisd-new, port 10024) with ESMTP id 2wK8bgK83sDZ; Thu, 30 Jul 2020 23:10:31 +0200 (CEST)
Received: from (unknown []) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS; Thu, 30 Jul 2020 23:10:31 +0200 (CEST)
Received: by (Postfix, from userid 1000) id 8FC426029BA4; Thu, 30 Jul 2020 17:10:30 -0400 (EDT)
Received: from localhost (localhost []) by (Postfix) with ESMTP id 878B6669F1; Thu, 30 Jul 2020 17:10:30 -0400 (EDT)
Date: Thu, 30 Jul 2020 17:10:30 -0400 (EDT)
From: Paul Wouters <>
To: Joe Abley <>
cc: Ben Schwartz <>, dnsop <>
In-Reply-To: <>
Message-ID: <>
References: <> <> <> <> <> <>
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII; format=flowed
Archived-At: <>
Subject: Re: [DNSOP] Questions on draft-ietf-dnsop-delegation-only
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 30 Jul 2020 21:10:37 -0000

On Thu, 30 Jul 2020, Joe Abley wrote:

> My sense is that this is a nice idea in theory but doesn't solve a problem that anybody actually has, and the camel is starting to look a little bit fraught. But I don't think any proposal should succeed or fail based on anybody's uninformed sense, hence the request for more data.

This proposal is meant to increase the amount of trust people can place in
DNSSEC by decreasing the hard trust that is currently required of ICANN,
Verisign and the TLD operators. I understand in our community, we do
not see this as a big problem. Unfortunately outside our community it is.

It is further interesting that you raise your point of "the risk analysis
shows we can never afford to deploy this" when a few months ago you
raised the reverse point that "we dont want to be forced to have to use
this to be seen trustworthy". Both arguments cannot be true.

As for the DNS camel, we are talking about 1 bit and many 20 lines of
code in the resolver. Looking at the rest of the current drafts in
DNSOP, I think this isn't going to break the camel's back.

As for your single issue, the glue issue, you could also change your take
down system.  You could bring up a zone and update
the NS glue for the to use that, give out the original
IP and sign it with's key. It would even work with
resolvers that insist on hardening and confirming glue, so you would
actually improve your .org deployment independently of this draft.

What I'm trying to avoid is adding complexity to support this already
unstable "run on glue" domains. Sure, we could add an exception for
A/AAAA since these records are of low value to protect because onpath
attacks can just NAT/route it to them anyway, but doing so would
actually increase the complexity of the code and muddle the expectation
of the protetion of "delegation only" zone.