[DNSOP] The DNSSEC club and surprises (was Re: New draft: Algorithm Negotiation in DNSSEC)

Andrew Sullivan <ajs@anvilwalrusden.com> Thu, 20 July 2017 15:08 UTC

Return-Path: <ajs@anvilwalrusden.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost []) by ietfa.amsl.com (Postfix) with ESMTP id EE6671252BA for <dnsop@ietfa.amsl.com>; Thu, 20 Jul 2017 08:08:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=yitter.info header.b=b2y4rxAt; dkim=pass (1024-bit key) header.d=yitter.info header.b=LNuOzU/o
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id 48aYa8kVoh5f for <dnsop@ietfa.amsl.com>; Thu, 20 Jul 2017 08:08:20 -0700 (PDT)
Received: from mx4.yitter.info (mx4.yitter.info []) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1A72A131CDF for <dnsop@ietf.org>; Thu, 20 Jul 2017 08:08:15 -0700 (PDT)
Received: from localhost (localhost []) by mx4.yitter.info (Postfix) with ESMTP id 6A14DBD996 for <dnsop@ietf.org>; Thu, 20 Jul 2017 15:08:14 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yitter.info; s=default; t=1500563294; bh=EJ32RjvUkci9cG/YLE8mfQX1/mDVZWl9pOFAqjrGfik=; h=Date:From:To:Subject:References:In-Reply-To:From; b=b2y4rxAts3d6UeegFba4UUjC3zTudlag2OMP1oBC1lkPavzg0qH3bHqZzUbylxyZU Fs3ksz3Fjk8rxXS3bo8bEX1C8VKN4+6L+W9zVAEdMHXDoe+ihpLKawI0TiFlMDtZYI S+Ld3DMn2IQJ2IQqlsVUig2bfj1RsoIhn9WyzyMk=
X-Virus-Scanned: Debian amavisd-new at crankycanuck.ca
Received: from mx4.yitter.info ([]) by localhost (mx4.yitter.info []) (amavisd-new, port 10024) with ESMTP id hmA3BtKyYpUj for <dnsop@ietf.org>; Thu, 20 Jul 2017 15:08:13 +0000 (UTC)
Date: Thu, 20 Jul 2017 11:08:10 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yitter.info; s=default; t=1500563292; bh=EJ32RjvUkci9cG/YLE8mfQX1/mDVZWl9pOFAqjrGfik=; h=Date:From:To:Subject:References:In-Reply-To:From; b=LNuOzU/oNDXbAgrWfhjqLCBwPQdet1Ul+CO8FPr0rB1DrLuHS89hnR0QcJ2/PSnub LSzrtV4c9Qglm57LzuczX1dAdMdKaoD5/v507KYKpbJ9cA11GS/88OcxYRZ1anJYZ9 yq1VQ+8azziMiItFhA+Fc39R3ZLZODYskfZATGis=
From: Andrew Sullivan <ajs@anvilwalrusden.com>
To: dnsop@ietf.org
Message-ID: <20170720150809.qv6nbwsite7icu45@mx4.yitter.info>
References: <CAHPuVdUVQqvFZJFV4D88cg4fGfFqxnzAwj1VRr6oK7Y1n9hDUw@mail.gmail.com> <CAN6NTqwi62xGtLnjNtV-CDCBKBV1TVEsCjbGUvtf_nxmcZEapw@mail.gmail.com> <CAHPuVdWisdPS3ezBsGSyX7Uh7Yw3HHcTaHHz3y9xA+Fow7G4Yw@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <CAHPuVdWisdPS3ezBsGSyX7Uh7Yw3HHcTaHHz3y9xA+Fow7G4Yw@mail.gmail.com>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/u4vBMJF39Eg6kAcQYhNLS8OC3Mg>
Subject: [DNSOP] The DNSSEC club and surprises (was Re: New draft: Algorithm Negotiation in DNSSEC)
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 20 Jul 2017 15:08:22 -0000

Dear colleagues,

On Mon, Jul 10, 2017 at 06:16:53PM -0400, Shumon Huque wrote:
> negotiation from the beginning, fail open would not have been necessary.
> This fail open behavior frequently takes people not in the DNSSEC club by
> complete surprise. I've lost track of how many "WTF" moments I've had to
> explain to other people about this behavior.

DNSSEC is mostly like that.  I think it is because most people used to
security extensions are used to them in end to end protocols, and used
to failing when the arrangement is not end-to-end.  For instance,
people also express astonishment that DNSKEYs don't expire.  Everyone
always has to be reminded that signatures expire, and if you want to
expire keys you take them out of the zone.

This is not to say, "Stupid users," but instead to say that at least
_part_ of the reason DNSSEC violates a lot of expectations is because
DNS does.  People continue to believe, for example, that there's
always one authoritative server, one recursive, and one stub.  We all
know that's _also_ a bad model, but it's mostly good enough except
when it isn't.

So, I think one can sympathise completely with the "WTF" moments, but
still think the response is, "Yep, this thing violates all your
assumptions.  Sorry."

Best regards,


Andrew Sullivan