Re: [DNSOP] meta issue: WG to discuss DNS innovation (was Re: draft-hzhwm-start-tls-for-dns-00)

Paul Vixie <> Sun, 16 February 2014 19:44 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id E2C571A03EE for <>; Sun, 16 Feb 2014 11:44:37 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -6.901
X-Spam-Status: No, score=-6.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id jPvrN_tJfGfr for <>; Sun, 16 Feb 2014 11:44:36 -0800 (PST)
Received: from ( []) by (Postfix) with ESMTP id 40D1F1A0276 for <>; Sun, 16 Feb 2014 11:44:36 -0800 (PST)
Received: from [IPv6:2001:559:8000:c9:e06b:8433:a508:56ec] (unknown [IPv6:2001:559:8000:c9:e06b:8433:a508:56ec]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by (Postfix) with ESMTPSA id B286FEBDA4; Sun, 16 Feb 2014 19:44:33 +0000 (UTC) (envelope-from
Message-ID: <>
Date: Sun, 16 Feb 2014 11:44:42 -0800
From: Paul Vixie <>
User-Agent: Postbox 3.0.9 (Windows/20140128)
MIME-Version: 1.0
To: Joe Abley <>
References: <> <> <> <> <> <> <> <> <>
In-Reply-To: <>
X-Enigmail-Version: 1.2.3
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Cc: dnsop <>, Paul Hoffman <>
Subject: Re: [DNSOP] meta issue: WG to discuss DNS innovation (was Re: draft-hzhwm-start-tls-for-dns-00)
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF DNSOP WG mailing list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Sun, 16 Feb 2014 19:44:38 -0000

Joe Abley wrote:
> ...
> If we believe all these problems are intractable, then we might as well just accept that overloading TXT records and reflection attacks are a fact of life, and stop worrying about them.

reflection attacks aren't a fact of life. DNS RRL does not require a
forklift upgrade of the infrastructure, isn't stopped by middleboxes,
and does not change the protocol. i think you should discriminate more
finely as to what we ought and ought not give up about.

> What I would prefer, though, is a more entrepreneurial approach where the likelihood of short-term operational problems (or even long-term failure of the work) should not stop us from trying. ...

those were my exact words upon the publication of RFC 2671. it's been
fifteen years. i think if any change to the dns protocol was going to be
useful enough to overcome edge corruption and edge inertia, it would be

however, it's heartening to see another generation of cannon fodder
lining up to enter the trenches. you go, joe. i'll cheer you on. but
i'll be working on a RESTful/JSON API to hide DNS edge traffic inside
TLS, in sessions not managed by any X.509 CA, while cheering you on.

> So, how about a starting point where we assume that if a particular extension has value to anybody, the operators (the market) will adjust to allow it to work, and if it doesn't, then adjustments are not necessary?
> Anybody else feel like working on the specification for SCTP transport? :-)

go, joe, go!