IETF Logo Mail Archive

Re: [DNSOP] [dns-operations] dnsop-any-notimp violates the DNS standards

Paul Vixie <paul@redbarn.org> Fri, 13 March 2015 16:28 UTC

Return-Path: <paul@redbarn.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id ABFA01A006B for <dnsop@ietfa.amsl.com>; Fri, 13 Mar 2015 09:28:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.011
X-Spam-Level:
X-Spam-Status: No, score=-0.011 tagged_above=-999 required=5 tests=[BAYES_20=-0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LsUY8Mi0-D9c for <dnsop@ietfa.amsl.com>; Fri, 13 Mar 2015 09:28:26 -0700 (PDT)
Received: from family.redbarn.org (family.redbarn.org [24.104.150.213]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DE8D71A002C for <dnsop@ietf.org>; Fri, 13 Mar 2015 09:28:23 -0700 (PDT)
Received: from [IPv6:2001:200:0:ff30:85ef:2382:cae3:f6c5] (unknown [IPv6:2001:200:0:ff30:85ef:2382:cae3:f6c5]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by family.redbarn.org (Postfix) with ESMTPSA id 4024B1814C; Fri, 13 Mar 2015 16:28:23 +0000 (UTC)
Message-ID: <5503101F.9060205@redbarn.org>
Date: Sat, 14 Mar 2015 01:28:15 +0900
From: Paul Vixie <paul@redbarn.org>
User-Agent: Postbox 3.0.11 (Windows/20140602)
MIME-Version: 1.0
To: Masataka Ohta <mohta@necom830.hpcl.titech.ac.jp>
References: <20150312125913.20188.qmail@cr.yp.to> <3D558422-D5DA-4434-BDED-E752BA353358@flame.org> <m27fulry37.wl%randy@psg.com> <55030A28.8050707@necom830.hpcl.titech.ac.jp>
In-Reply-To: <55030A28.8050707@necom830.hpcl.titech.ac.jp>
X-Enigmail-Version: 1.2.3
Content-Type: multipart/alternative; boundary="------------040702020106090705090601"
Archived-At: <http://mailarchive.ietf.org/arch/msg/dnsop/eMTBeQIBCE3l6zLafIgaPqcEoYU>
Cc: dnsop@ietf.org
Subject: Re: [DNSOP] [dns-operations] dnsop-any-notimp violates the DNS standards
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 13 Mar 2015 16:28:31 -0000


> Masataka Ohta <mailto:mohta@necom830.hpcl.titech.ac.jp>
> Saturday, March 14, 2015 1:02 AM
> Randy Bush wrote:
>
>>> What problem are we specifically trying to solve here again?
>> not break things that are working
>
> Yup. Qmail or any software produced by djb adhering the existing
> standards of the Internet.

you say "adhering to ... standards".
i say "depending on corner cases".

ultimately what matters is whatever works. if cloudflare decides to stop
answering QTYPE=ANY then it would take all million or so qmail customers
complaining to cloudflare's NOC to get cloudflare to change its mind. i
don't think that's going to happen, for a number of reasons, one of
which is that the corner case qmail is depending on was a bad idea
originally and has gotten nothing but worse since then. but let's run
the experiment, shall we?
>
>
> Paul Vixie wrote:
>
>> everything is broken, depending on whom you ask.
>
> The worst broken thing in DNS is DNSSEC.

thank you for amplifying my point.
>
> As a person who have been saying DNSSEC has been broken from the
> beginning, after which, as certain amount of operational experiences,
> it was revised several times along ways to fix some (but not all),
> IMHO, broken parts, may I volunteer to fix not ANT but DNSSEC entirely?
>
> Before replying me, remember that you have been saying, from the
> beginning, that DNSSEC was OK if it were properly implemented.

i probably said that fifteen years ago and maybe i said it again ten
years ago. here is me, on record:

> DNSSEC is a colossal flop, but not a mistake. It's an embarrassment,
> but we'd do it all again if we had to. It's late -- it was started
> years before the IPv6 effort but is (believe it if you can) even less
> finished and less deployed than IPv6. It's ugly and complicated and if
> we knew then what we know now we'd've scrapped DNS itself and started
> from scratch just to avoid the compromises we've made. But we didn't
> know then, etc., and what we have to do now is avert our gaze and
> fully deploy this ugly embarrassing thing.
>
> Let me explain.
>
> ... 
(http://www.dnssec.net/why-deploy-dnssec)


see also:

> At the time of this writing DNSSEC mostly does not work. 
(http://www.circleid.com/posts/defense_in_depth_for_dnssec_applications/)
>
> I may temporally ignore fundamental operational impossibility of
> DNSSEC and try to make it least harmful w.r.t. DDOS.

uh, thanks?

-- 
Paul Vixie

v2.23.0 | Report a Bug | By Email