Re: [DNSOP] IETF meeting prep and what

Mark Andrews <> Wed, 30 June 2021 22:28 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id E1B8D3A2DBE for <>; Wed, 30 Jun 2021 15:28:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key) header.b=IWYREbzp; dkim=pass (1024-bit key) header.b=oZiRQHLn
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id WJhs1OXRSvJD for <>; Wed, 30 Jun 2021 15:28:31 -0700 (PDT)
Received: from ( [IPv6:2001:4f8:0:2::2b]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id AAB353A2DBB for <>; Wed, 30 Jun 2021 15:28:31 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by (Postfix) with ESMTPS id 5734A3AB02A; Wed, 30 Jun 2021 22:28:29 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple;; s=ostpay; t=1625092109; bh=G2gpVI3lq5GA0fm547MJPCDvxZrmcmcJ4Y/RVpG89+U=; h=Subject:From:In-Reply-To:Date:Cc:References:To; b=IWYREbzp7GATqCUibroeSGaaQEydc2sv6m7zNmta5fk7I3qlF3yocaiAwm4qjdwd7 fSi5gana507fr8hMq2zQB3quT4E6wxJAR5RtSatNN6fY3ayWby8bveYqu5YCm3FDn0 2Da2tOzfaG4PoQ53qHIxirQmY6Q2Va3QW0SARf3E=
Received: from (localhost.localdomain []) by (Postfix) with ESMTPS id EEC4816003F; Wed, 30 Jun 2021 22:28:28 +0000 (UTC)
Received: from localhost (localhost.localdomain []) by (Postfix) with ESMTP id 9B11816006E; Wed, 30 Jun 2021 22:28:28 +0000 (UTC)
DKIM-Filter: OpenDKIM Filter v2.9.2 9B11816006E
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=05DFB016-56A2-11EB-AEC0-15368D323330; t=1625092108; bh=h3ZFHqE1c57u5L14A6vcMpLSMwtpW6/LRB2beX+KQWM=; h=Content-Type:Mime-Version:Subject:From:Date: Content-Transfer-Encoding:Message-Id:To; b=oZiRQHLnOoSEoL4C6FjzWX9vBTRRGr2innp1tqChHH3LMqorbLI3Ri4IpXF6hbNld YSiIFEa+IXZh18/FCBdlXbZEj9VkgUIrE+QaDqRNdd3y4Z/fjSJj73gdBUE2VhOzll Ay6WXztco9x5ff02GvE98O50ejXv62a0gkFzzFYM=
Received: from ([]) by localhost ( []) (amavisd-new, port 10026) with ESMTP id CpWfwV3SEDRw; Wed, 30 Jun 2021 22:28:28 +0000 (UTC)
Received: from ( []) by (Postfix) with ESMTPSA id E0EF316003F; Wed, 30 Jun 2021 22:28:27 +0000 (UTC)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 14.0 \(3654.\))
From: Mark Andrews <>
In-Reply-To: <>
Date: Thu, 01 Jul 2021 08:28:25 +1000
Content-Transfer-Encoding: quoted-printable
Message-Id: <>
References: <> <> <> <>
To: Michael StJohns <>
X-Mailer: Apple Mail (2.3654.
Archived-At: <>
Subject: Re: [DNSOP] IETF meeting prep and what
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 30 Jun 2021 22:28:37 -0000

I’d argue that there are a magnitude more resolvers than browsers in the world.  There are lots of devices that have a resolver but don’t have a browser.  Think of all the smart light bulbs.  They all need to be able to update their trust anchors.  DNSSEC deployment is still in its infancy.

> On 1 Jul 2021, at 05:26, Michael StJohns <> wrote:
> Peter et al -
> It might be useful to review RFC 4986 - - Requirements Related to DNS Security Trust Anchor Rollover - to understand what the problem requirements were/are before resurrecting this discussion again.   If the requirements have changed, then perhaps we need a new solution, but we should probably update 4986 before tossing 5011.
> Peter -
> WRT to your analogy to the CA system, I will note that browser clients (where the trust anchors are embedded for the CA) are not even close to being updated in the same manner as recursive resolvers (not simply "DNS clients") and many resolvers are used to provide services within various small and large organizations rather than being owned and updated by a single person.   For one thing, there are orders of magnitude more browers than there are resolvers.  For another,  resolvers are rarely updated automatically.   What would be interesting is to get some idea of the set of resolvers with no active management being performed on them - including software updates.
> Mike
> On 6/30/2021 2:59 PM, Peter van Dijk wrote:
>> Hello DNSOP,
>>> I propose replacing rfc5011-security-considerations with a short document deprecating 5011 in its entirety. I am happy to write text for that, if there is an appetite - when the WG queue is small enough!
>> I see this ruffled some feathers. Here's a more nuanced version.
>> I feel that 5011, for the purpose of root key rollovers, is the wrong tool, -especially- combined with the trust anchor signaling that various resolver stacks sent to the root. Lack of clarity about where various signals came from, combined with some interesting bugs in implementations, has led to a lot of wild goose chases, and it would not surprise me (but I cannot prove) that bad data is what delayed the first roll for so long. Not actual problems predicted by the data; just bad data. (I have mentioned before that I think the trust anchor signalling was a mistake too, and any calls for 'more of this' are 'calls for more bad data' and we do not need more bad data.)
>> I feel that the right mechanism for root key distribution is software distributors. This is working fine for the CA system, and with keys announced far enough in advance, should work fine for DNSSEC. Software distributors have solved this problem; they are very good at distributing things; I suggest we let them solve this for us.
>> rfc5011-security-considerations is a good document, and I apologise for targeting it unfairly - my problem with 5011 is as above. Given my next two point, it probably makes sense to publish rfc5011-security-considerations.
>> With heaps of 5011 'client' implementations out there, I am in no way proposing that root rolls happen in a way that that software could not follow along. I am only proposing that we write down that 5011 is not the best fit for the problem, and recommend against more client implementations of it *for the purpose of root key rolls*.
>> I think (can't find it right now) that somebody mentioned that 5011 has its place outside of the root key system, inside enterprises. I'm inclined to disagree, but do not feel entirely capable of judging that. If (again, when there's WG bandwidth) we draft a document about why 5011 is a bad fit for the root, perhaps somebody can contribute text about the level-of-fit for other use cases.
>> Kind regards,
> _______________________________________________
> DNSOP mailing list

Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742              INTERNET: