Re: [DNSOP] DNS versioning, was The DNSOP WG has placed draft-woodworth-bulk-rr in state "Candidate for WG Adoption"

"John R Levine" <johnl@taugh.com> Sat, 22 July 2017 06:33 UTC

Return-Path: <johnl@taugh.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BF925126DEE for <dnsop@ietfa.amsl.com>; Fri, 21 Jul 2017 23:33:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Level:
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1536-bit key) header.d=iecc.com header.b=X5HZdT8W; dkim=pass (1536-bit key) header.d=taugh.com header.b=Ce71v+ci
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ggBtV1DJOHRg for <dnsop@ietfa.amsl.com>; Fri, 21 Jul 2017 23:33:34 -0700 (PDT)
Received: from miucha.iecc.com (www.iecc.com [IPv6:2001:470:1f07:1126::4945:4343]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4E902126C22 for <dnsop@ietf.org>; Fri, 21 Jul 2017 23:33:34 -0700 (PDT)
Received: (qmail 69445 invoked from network); 22 Jul 2017 06:33:32 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=simple; d=iecc.com; h=date:message-id:from:to:cc:subject:in-reply-to:references:mime-version:content-type:user-agent; s=10f43.5972f1bc.k1707; bh=lFeO28oQFaZ+RpnOJ+rMnwLdCnrYzeem70jCJSIqnc0=; b=X5HZdT8WZfuWcYBfDtzAM8qc1lGlyXT4rh2pxPMX+npo0NoiVVtpBfsO1ydzK8dIB84gkq18DZcl2UZtFZI9G4WQxLCpKkwxOA2s1NbRdMpkT6dQ72+Ouquad/uFuVlCJYOEsZ7p4n9q/PwdMIFDh6ib8CZXdSCLhucbof2k9tlig9LYmluvbBGHVLzsXr2Si/cbhirfrxzyPwI07gkFBCP268CdRmKOaxjdMHuPbBMwZ4HTxY87gtCxiE76radQ
DKIM-Signature: v=1; a=rsa-sha256; c=simple; d=taugh.com; h=date:message-id:from:to:cc:subject:in-reply-to:references:mime-version:content-type:user-agent; s=10f43.5972f1bc.k1707; bh=lFeO28oQFaZ+RpnOJ+rMnwLdCnrYzeem70jCJSIqnc0=; b=Ce71v+ciZwq6BZJZYUgJhVc6oOge7H72L7GTcZyvZT0wHrxtibX8FaB9qQE8zGlBBMbwQf/5gNbzxsVXF+AExnSygWahTy699ixsEWLP+eTPXdwk85OLLVSfqO0TFNLqWPBhDWFf6kL7yPbs8RoZUjzM721/Lq8w3lkkMKMykcldXcIoxLynwftuxxC5L/XURw6WIQS7Q8XqIusocWYD9tTaxAkgJcv1e3uN8bFrhTU5N2oDihATCHyZNVn1zjZL
Received: from localhost ([IPv6:2001:470:1f07:1126::78:696d:6170]) by imap.iecc.com ([IPv6:2001:470:1f07:1126::78:696d:6170]) with ESMTPS (TLS1.2/X.509/AEAD) via TCP6; 22 Jul 2017 06:33:32 -0000
Date: 22 Jul 2017 08:33:30 +0200
Message-ID: <alpine.OSX.2.21.1707220815520.9675@ary>
From: "John R Levine" <johnl@taugh.com>
To: "Woodworth, John R" <John.Woodworth@CenturyLink.com>
Cc: "dnsop@ietf.org" <dnsop@ietf.org>
In-Reply-To: <A05B583C828C614EBAD1DA920D92866BD08233DE@PODCWMBXEX501.ctl.intranet>
References: <alpine.LRH.2.20.1707190347390.10419@ns0.nohats.ca> <20170719215749.2241.qmail@ary.lan> <A05B583C828C614EBAD1DA920D92866BD081E78B@PODCWMBXEX501.ctl.intranet> <alpine.OSX.2.21.1707200928290.4118@dhcp-8e4c.meeting.ietf.org> <A05B583C828C614EBAD1DA920D92866BD08233DE@PODCWMBXEX501.ctl.intranet>
User-Agent: Alpine 2.21 (OSX 202 2017-01-01)
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII; format=flowed
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/b75lNjSTD3jMfLedN9TxYsP4SWw>
Subject: Re: [DNSOP] DNS versioning, was The DNSOP WG has placed draft-woodworth-bulk-rr in state "Candidate for WG Adoption"
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 22 Jul 2017 06:33:36 -0000

> Having said that, just what level of significance would it take
> for us to bend in this respect?  What type of feature, etc.?

For DNSSEC the issue was the fundamental integrity of the DNS.  I 
think it's fair to say that this isn't that.

>> ...BULK absolutely requires online DNSSEC signing,
> Unfortunately, I respectfully reject this as a statement of fact.
> There's even a provision (NPN) ...

  ... which only works if you upgrade every validating resolver.  If you 
get to do that, you might as well just send the signed BULK record, the 
NSEC and RRSIG that show there's nothing at the name, and let the resolver 
figure it out.  Given how slowly people update their client DNS libraries, 
NPN would be a recipe for decades of DNS flakiness, as some resolvers 
accept the generated records and some don't.

As I said a few messages ago, this really needs to wait until we figure 
out how to signal DNS versioning, and if we don't want to wait for every 
resolver in the world to be updated, how to distribute signing keys along 
with AXFR/IXFR to allow online signing to work portably.

I'm not opposed to BULK because I don't think it's useful -- there are 
plenty of RRs that are useless but harmless.  But I really don't want to 
break the DNS, particularly for something that is at most arguably useful.

R's,
John

PS: I hope it's self evident why "it doesn't matter because hardly anyone 
uses DNSSEC" is not a persuasive argument.