Re: [DNSOP] [dns-operations] dnsop-any-notimp violates the DNS standards

Paul Vixie <> Fri, 13 March 2015 16:28 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id ABFA01A006B for <>; Fri, 13 Mar 2015 09:28:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -0.011
X-Spam-Status: No, score=-0.011 tagged_above=-999 required=5 tests=[BAYES_20=-0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id LsUY8Mi0-D9c for <>; Fri, 13 Mar 2015 09:28:26 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id DE8D71A002C for <>; Fri, 13 Mar 2015 09:28:23 -0700 (PDT)
Received: from [IPv6:2001:200:0:ff30:85ef:2382:cae3:f6c5] (unknown [IPv6:2001:200:0:ff30:85ef:2382:cae3:f6c5]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by (Postfix) with ESMTPSA id 4024B1814C; Fri, 13 Mar 2015 16:28:23 +0000 (UTC)
Message-ID: <>
Date: Sat, 14 Mar 2015 01:28:15 +0900
From: Paul Vixie <>
User-Agent: Postbox 3.0.11 (Windows/20140602)
MIME-Version: 1.0
To: Masataka Ohta <>
References: <> <> <> <>
In-Reply-To: <>
X-Enigmail-Version: 1.2.3
Content-Type: multipart/alternative; boundary="------------040702020106090705090601"
Archived-At: <>
Subject: Re: [DNSOP] [dns-operations] dnsop-any-notimp violates the DNS standards
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF DNSOP WG mailing list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 13 Mar 2015 16:28:31 -0000

> Masataka Ohta <>
> Saturday, March 14, 2015 1:02 AM
> Randy Bush wrote:
>>> What problem are we specifically trying to solve here again?
>> not break things that are working
> Yup. Qmail or any software produced by djb adhering the existing
> standards of the Internet.

you say "adhering to ... standards".
i say "depending on corner cases".

ultimately what matters is whatever works. if cloudflare decides to stop
answering QTYPE=ANY then it would take all million or so qmail customers
complaining to cloudflare's NOC to get cloudflare to change its mind. i
don't think that's going to happen, for a number of reasons, one of
which is that the corner case qmail is depending on was a bad idea
originally and has gotten nothing but worse since then. but let's run
the experiment, shall we?
> Paul Vixie wrote:
>> everything is broken, depending on whom you ask.
> The worst broken thing in DNS is DNSSEC.

thank you for amplifying my point.
> As a person who have been saying DNSSEC has been broken from the
> beginning, after which, as certain amount of operational experiences,
> it was revised several times along ways to fix some (but not all),
> IMHO, broken parts, may I volunteer to fix not ANT but DNSSEC entirely?
> Before replying me, remember that you have been saying, from the
> beginning, that DNSSEC was OK if it were properly implemented.

i probably said that fifteen years ago and maybe i said it again ten
years ago. here is me, on record:

> DNSSEC is a colossal flop, but not a mistake. It's an embarrassment,
> but we'd do it all again if we had to. It's late -- it was started
> years before the IPv6 effort but is (believe it if you can) even less
> finished and less deployed than IPv6. It's ugly and complicated and if
> we knew then what we know now we'd've scrapped DNS itself and started
> from scratch just to avoid the compromises we've made. But we didn't
> know then, etc., and what we have to do now is avert our gaze and
> fully deploy this ugly embarrassing thing.
> Let me explain.
> ... 

see also:

> At the time of this writing DNSSEC mostly does not work. 
> I may temporally ignore fundamental operational impossibility of
> DNSSEC and try to make it least harmful w.r.t. DDOS.

uh, thanks?

Paul Vixie