Re: [DNSOP] Questions on draft-ietf-dnsop-delegation-only

Joe Abley <> Thu, 30 July 2020 21:58 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 424BA3A0DBC for <>; Thu, 30 Jul 2020 14:58:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id y53R2YZ-nZln for <>; Thu, 30 Jul 2020 14:58:01 -0700 (PDT)
Received: from ( [IPv6:2607:f8b0:4864:20::732]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id AADE13A0D90 for <>; Thu, 30 Jul 2020 14:58:00 -0700 (PDT)
Received: by with SMTP id u64so27057723qka.12 for <>; Thu, 30 Jul 2020 14:58:00 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=google; h=mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=13fWb0zbI+4CYxhISDMBXbo7FPj7l4eM6M7XJrXgPto=; b=kAtLhqT7Oc6Spvwix2+ZOgSyLdZz6oK4A+dkaplxTmjbF/awiruBxiOI/fP28kcjUN rkIGDqsEZof4Y2v5dHCjX4WzKAMdOZshdawqW4LP4tGMoeLBamfp8eN130RSzOyxKJfC KPB3w5OQYRVB+uGBk/7pAHtMiq29m7rlT6moA=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=13fWb0zbI+4CYxhISDMBXbo7FPj7l4eM6M7XJrXgPto=; b=sPkRAAVBox6gcwMvU9EEObXoHoWNrlTAl0H+6qsBO1O3dRfpFI3WGVz59EOM64S5sa Sw/CR2ingMCtXQicaZwtmwSK4cqHL4PH42fb05cionfeOG2vTYuaZODYYqnFCteT0rlf DD6AXmf8FhyDc7RDB+QX5KjkdNJh9lTO7IDYrGGi1qVmp7FmYgFyyXITRW9Tm4upFUON zONlSLXu/KNfmfpN8dNWYyf41QkjWF7ffluBEKG7uf7446XSSxdaQvSuLwha5/42m5gt p//+tf9snBkhLbRNb/wr8UnXHheZjZwCXBSzn45podmFKxduf5CZ6qk1IqdEB97leU4A 95BQ==
X-Gm-Message-State: AOAM533xZiDr3IG8nJFARS7nlSoo8jLoTTGzEx4H2YfkdYK6sFWrk5U6 fEmgcPmKELceUpHYufVuV9GNZO71ZDQu1w==
X-Google-Smtp-Source: ABdhPJzTautfA9d7t3+btp3wVkC91vsdaYnTr6G8GCqFyK963AHF/LPXSwPkPv77WaMcphQW5sNmgg==
X-Received: by 2002:a05:620a:22b4:: with SMTP id p20mr1224786qkh.340.1596146279310; Thu, 30 Jul 2020 14:57:59 -0700 (PDT)
Received: from ?IPv6:2607:f2c0:e784:c7:cc64:e39d:b3f2:81cb? ([2607:f2c0:e784:c7:cc64:e39d:b3f2:81cb]) by with ESMTPSA id b20sm6383296qta.51.2020. (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Thu, 30 Jul 2020 14:57:57 -0700 (PDT)
Content-Type: text/plain; charset=us-ascii
Mime-Version: 1.0 (Mac OS X Mail 13.4 \(3608.\))
From: Joe Abley <>
In-Reply-To: <>
Date: Thu, 30 Jul 2020 17:57:54 -0400
Cc: Ben Schwartz <>, dnsop <>
Content-Transfer-Encoding: quoted-printable
Message-Id: <>
References: <> <> <> <> <> <> <>
To: Paul Wouters <>
X-Mailer: Apple Mail (2.3608.
Archived-At: <>
Subject: Re: [DNSOP] Questions on draft-ietf-dnsop-delegation-only
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 30 Jul 2020 21:58:03 -0000

On 30 Jul 2020, at 17:10, Paul Wouters <> wrote:

> On Thu, 30 Jul 2020, Joe Abley wrote:
>> My sense is that this is a nice idea in theory but doesn't solve a problem that anybody actually has, and the camel is starting to look a little bit fraught. But I don't think any proposal should succeed or fail based on anybody's uninformed sense, hence the request for more data.
> This proposal is meant to increase the amount of trust people can place in
> DNSSEC by decreasing the hard trust that is currently required of ICANN,
> Verisign and the TLD operators. I understand in our community, we do
> not see this as a big problem. Unfortunately outside our community it is.

Can you provide some information about that? I think it would be helpful to understand the problem that people are bothered by.

> It is further interesting that you raise your point of "the risk analysis
> shows we can never afford to deploy this" when a few months ago you
> raised the reverse point that "we dont want to be forced to have to use
> this to be seen trustworthy". Both arguments cannot be true.

Well, I didn't say that we can never afford to deploy anything. Clearly we can deploy lots of things all the time. I think I've explained why we couldn't just turn this on in ORG right now, and so a requirement to do so would be a problem.

The lines of code to be added to particular implementations are not the only measure of complexity in deployment, however. We don't have a good handle on all the software that exists between application and authority server, nor how it interacts. There are costs in resolution failures that appear intermittent because they happen with some applications, networks or hosts but not others, assuming that it is deployed anywhere.

If the technical difficulties for particular registries like ORG can be circumvented but the benefits are not obviously compelling, then there's the question of why any commercial registry would implement this proposal. If it needs to happen as a contractual obligation, then that means contract changes and although that's very much not my area, my sense is that that's a fairly heavy ball that needs to be rolled up a steep and tall hill. That sounds like a cost to me.

Without widespread implementation, I'm not sure how the problems (admittedly, problems that I don't really understand) will actually be addressed. The costs will remain, however. And right now I haven't heard a single example of a TLD that might be in a position to implement this (not saying there isn't one, just that I haven't heard an example).