Re: [DNSOP] Fwd: [Add] new draft: draft-grover-add-policy-detection-00

Paul Vixie <paul@redbarn.org> Mon, 15 July 2019 01:59 UTC

From: Paul Vixie <paul@redbarn.org>
To: Rob Sayre <sayrer@gmail.com>
Cc: dnsop@ietf.org
Date: Mon, 15 Jul 2019 01:59:28 +0000
Message-ID: <3220557.rvQTihJl8x@linux-9daj>
Organization: none
In-Reply-To: <CAChr6SyapDz8ZKNU8nOuncPMWajBuE+eF3WMFP9GWAs+B-uP9g@mail.gmail.com>
References: <CAChr6SyVmgMpD6Cd=m2Z03nts-Bv9ZVgJkG8oaj_jzwYMUZuCg@mail.gmail.com> <4966582.gC1Lsr5W4Z@linux-9daj> <CAChr6SyapDz8ZKNU8nOuncPMWajBuE+eF3WMFP9GWAs+B-uP9g@mail.gmail.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="us-ascii"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/r5eU4XnWWCPSrn18cJF81hkUy8g>
Subject: Re: [DNSOP] Fwd: [Add] new draft: draft-grover-add-policy-detection-00
Precedence: list

On Monday, 15 July 2019 01:41:10 UTC Rob Sayre wrote:
> Thank you for the elegant response. BCP 61 describes this issue well, too.
> 
> https://tools.ietf.org/html/bcp61
> 
> DNS seems like it still operates in the clear, and that doesn't seem good.

first we signed transactions with asymmetric keys -- SIG(0).

then we signed them with symmetric keys -- TSIG.

then we signed data with assymetric keys -- DNSSEC.

then we encrypted transactions with assymetric keys -- DoT.

the the web community caught wind of it and threw a molatov cocktail into our 
movie theater -- DoH.

changing DNS isn't quick or easy or cheap -- it's the trifecta of "fast, good, 
or cheap, choose two" and you have to say "i choose none of the above."

and DNS is nowhere near as simple as the web community wants to believe.

we could use a lot more help pushing DNSSEC and DoT, for end to end 
authenticity and hop by hop secrecy+authenticity. we've done the parts of 
these that weren't quick and the parts that weren't easy and the parts that 
weren't cheap as well as the parts that weren't and can't be good. what we 
need now is a unified deployment effort on these technologies. help?

-- 
Paul

[DNSOP] Fwd: [Add] new draft: draft-grover-add-po… Andy Grover
Re: [DNSOP] Fwd: [Add] new draft: draft-grover-ad… Paul Vixie
Re: [DNSOP] Fwd: [Add] new draft: draft-grover-ad… Rob Sayre
Re: [DNSOP] Fwd: [Add] new draft: draft-grover-ad… Paul Vixie
Re: [DNSOP] Fwd: [Add] new draft: draft-grover-ad… Rob Sayre
Re: [DNSOP] Fwd: [Add] new draft: draft-grover-ad… Paul Vixie
Re: [DNSOP] Fwd: [Add] new draft: draft-grover-ad… Rob Sayre
Re: [DNSOP] [Add] new draft: draft-grover-add-pol… David Conrad
Re: [DNSOP] Fwd: [Add] new draft: draft-grover-ad… Paul Vixie
Re: [DNSOP] [External] Re: Fwd: [Add] new draft: … Andrew M. Hettinger
Re: [DNSOP] [External] Re: Fwd: [Add] new draft: … Peter Saint-Andre
Re: [DNSOP] [External] Re: Re: Fwd: [Add] new dra… Andrew M. Hettinger
Re: [DNSOP] [External] Re: Fwd: [Add] new draft: … Rob Sayre
Re: [DNSOP] [External] Re: Fwd: [Add] new draft: … Andy Grover
Re: [DNSOP] Fwd: [Add] new draft: draft-grover-ad… Rob Sayre
Re: [DNSOP] [External] Re: Fwd: [Add] new draft: … Rob Sayre
Re: [DNSOP] Fwd: [Add] new draft: draft-grover-ad… Eric Rescorla
Re: [DNSOP] Fwd: [Add] new draft: draft-grover-ad… Rob Sayre
Re: [DNSOP] Fwd: [Add] new draft: draft-grover-ad… Alejandro Acosta
Re: [DNSOP] Fwd: [Add] new draft: draft-grover-ad… Tommy Jensen
Re: [DNSOP] Fwd: [Add] new draft: draft-grover-ad… Rob Sayre
Re: [DNSOP] Fwd: [Add] new draft: draft-grover-ad… Eric Rescorla
Re: [DNSOP] Fwd: [Add] new draft: draft-grover-ad… Rob Sayre
Re: [DNSOP] Fwd: [Add] new draft: draft-grover-ad… Tommy Jensen
Re: [DNSOP] [Add] [Ext] new draft: draft-grover-a… Rob Sayre
Re: [DNSOP] [Add] [Ext] new draft: draft-grover-a… Paul Hoffman
Re: [DNSOP] [Add] [Ext] new draft: draft-grover-a… Rob Sayre