[DNSOP] The DNSSEC club and surprises (was Re: New draft: Algorithm Negotiation in DNSSEC)
Andrew Sullivan <ajs@anvilwalrusden.com> Thu, 20 July 2017 15:08 UTC
Return-Path: <ajs@anvilwalrusden.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EE6671252BA for <dnsop@ietfa.amsl.com>; Thu, 20 Jul 2017 08:08:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=yitter.info header.b=b2y4rxAt; dkim=pass (1024-bit key) header.d=yitter.info header.b=LNuOzU/o
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 48aYa8kVoh5f for <dnsop@ietfa.amsl.com>; Thu, 20 Jul 2017 08:08:20 -0700 (PDT)
Received: from mx4.yitter.info (mx4.yitter.info [159.203.56.111]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1A72A131CDF for <dnsop@ietf.org>; Thu, 20 Jul 2017 08:08:15 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by mx4.yitter.info (Postfix) with ESMTP id 6A14DBD996 for <dnsop@ietf.org>; Thu, 20 Jul 2017 15:08:14 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yitter.info; s=default; t=1500563294; bh=EJ32RjvUkci9cG/YLE8mfQX1/mDVZWl9pOFAqjrGfik=; h=Date:From:To:Subject:References:In-Reply-To:From; b=b2y4rxAts3d6UeegFba4UUjC3zTudlag2OMP1oBC1lkPavzg0qH3bHqZzUbylxyZU Fs3ksz3Fjk8rxXS3bo8bEX1C8VKN4+6L+W9zVAEdMHXDoe+ihpLKawI0TiFlMDtZYI S+Ld3DMn2IQJ2IQqlsVUig2bfj1RsoIhn9WyzyMk=
X-Virus-Scanned: Debian amavisd-new at crankycanuck.ca
Received: from mx4.yitter.info ([127.0.0.1]) by localhost (mx4.yitter.info [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hmA3BtKyYpUj for <dnsop@ietf.org>; Thu, 20 Jul 2017 15:08:13 +0000 (UTC)
Date: Thu, 20 Jul 2017 11:08:10 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yitter.info; s=default; t=1500563292; bh=EJ32RjvUkci9cG/YLE8mfQX1/mDVZWl9pOFAqjrGfik=; h=Date:From:To:Subject:References:In-Reply-To:From; b=LNuOzU/oNDXbAgrWfhjqLCBwPQdet1Ul+CO8FPr0rB1DrLuHS89hnR0QcJ2/PSnub LSzrtV4c9Qglm57LzuczX1dAdMdKaoD5/v507KYKpbJ9cA11GS/88OcxYRZ1anJYZ9 yq1VQ+8azziMiItFhA+Fc39R3ZLZODYskfZATGis=
From: Andrew Sullivan <ajs@anvilwalrusden.com>
To: dnsop@ietf.org
Message-ID: <20170720150809.qv6nbwsite7icu45@mx4.yitter.info>
References: <CAHPuVdUVQqvFZJFV4D88cg4fGfFqxnzAwj1VRr6oK7Y1n9hDUw@mail.gmail.com> <CAN6NTqwi62xGtLnjNtV-CDCBKBV1TVEsCjbGUvtf_nxmcZEapw@mail.gmail.com> <CAHPuVdWisdPS3ezBsGSyX7Uh7Yw3HHcTaHHz3y9xA+Fow7G4Yw@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <CAHPuVdWisdPS3ezBsGSyX7Uh7Yw3HHcTaHHz3y9xA+Fow7G4Yw@mail.gmail.com>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/u4vBMJF39Eg6kAcQYhNLS8OC3Mg>
Subject: [DNSOP] The DNSSEC club and surprises (was Re: New draft: Algorithm Negotiation in DNSSEC)
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 20 Jul 2017 15:08:22 -0000
Dear colleagues, On Mon, Jul 10, 2017 at 06:16:53PM -0400, Shumon Huque wrote: > negotiation from the beginning, fail open would not have been necessary. > This fail open behavior frequently takes people not in the DNSSEC club by > complete surprise. I've lost track of how many "WTF" moments I've had to > explain to other people about this behavior. DNSSEC is mostly like that. I think it is because most people used to security extensions are used to them in end to end protocols, and used to failing when the arrangement is not end-to-end. For instance, people also express astonishment that DNSKEYs don't expire. Everyone always has to be reminded that signatures expire, and if you want to expire keys you take them out of the zone. This is not to say, "Stupid users," but instead to say that at least _part_ of the reason DNSSEC violates a lot of expectations is because DNS does. People continue to believe, for example, that there's always one authoritative server, one recursive, and one stub. We all know that's _also_ a bad model, but it's mostly good enough except when it isn't. So, I think one can sympathise completely with the "WTF" moments, but still think the response is, "Yep, this thing violates all your assumptions. Sorry." Best regards, A -- Andrew Sullivan ajs@anvilwalrusden.com
- [DNSOP] New draft: Algorithm Negotiation in DNSSEC Shumon Huque
- Re: [DNSOP] New draft: Algorithm Negotiation in D… Bob Harold
- Re: [DNSOP] New draft: Algorithm Negotiation in D… Shumon Huque
- Re: [DNSOP] New draft: Algorithm Negotiation in D… Michael H. Warfield
- Re: [DNSOP] New draft: Algorithm Negotiation in D… Shumon Huque
- Re: [DNSOP] New draft: Algorithm Negotiation in D… Paul Wouters
- Re: [DNSOP] New draft: Algorithm Negotiation in D… Ólafur Guðmundsson
- Re: [DNSOP] New draft: Algorithm Negotiation in D… Shumon Huque
- Re: [DNSOP] New draft: Algorithm Negotiation in D… Shumon Huque
- Re: [DNSOP] New draft: Algorithm Negotiation in D… Mark Andrews
- Re: [DNSOP] New draft: Algorithm Negotiation in D… Paul Wouters
- Re: [DNSOP] New draft: Algorithm Negotiation in D… Shumon Huque
- Re: [DNSOP] New draft: Algorithm Negotiation in D… Shumon Huque
- Re: [DNSOP] New draft: Algorithm Negotiation in D… Ted Lemon
- Re: [DNSOP] New draft: Algorithm Negotiation in D… Stephane Bortzmeyer
- Re: [DNSOP] New draft: Algorithm Negotiation in D… Shumon Huque
- Re: [DNSOP] New draft: Algorithm Negotiation in D… Stephane Bortzmeyer
- Re: [DNSOP] New draft: Algorithm Negotiation in D… Shumon Huque
- Re: [DNSOP] New draft: Algorithm Negotiation in D… Ólafur Guðmundsson
- Re: [DNSOP] New draft: Algorithm Negotiation in D… Shumon Huque
- Re: [DNSOP] New draft: Algorithm Negotiation in D… Ólafur Guðmundsson
- Re: [DNSOP] New draft: Algorithm Negotiation in D… Willem Toorop
- Re: [DNSOP] New draft: Algorithm Negotiation in D… Shumon Huque
- [DNSOP] The DNSSEC club and surprises (was Re: Ne… Andrew Sullivan
- Re: [DNSOP] The DNSSEC club and surprises (was Re… Tony Finch
- Re: [DNSOP] The DNSSEC club and surprises (was Re… Warren Kumari
- Re: [DNSOP] The DNSSEC club and surprises (was Re… George Michaelson
- Re: [DNSOP] The DNSSEC club and surprises (was Re… Warren Kumari
- Re: [DNSOP] The DNSSEC club and surprises (was Re… Peter van Dijk