Re: [DNSOP] Is DNSSEC a Best Current Practice?
Mukund Sivaraman <muks@mukund.org> Fri, 11 March 2022 10:26 UTC
Return-Path: <muks@mukund.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5DB9F3A0F06 for <dnsop@ietfa.amsl.com>; Fri, 11 Mar 2022 02:26:37 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.11
X-Spam-Level:
X-Spam-Status: No, score=-2.11 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=mukund.org
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AY9dh7DK2l12 for <dnsop@ietfa.amsl.com>; Fri, 11 Mar 2022 02:26:32 -0800 (PST)
Received: from mx.mukund.org (mx.mukund.org [IPv6:2a01:4f8:252:2ade:1::78]) (using TLSv1.2 with cipher ECDHE-RSA-CHACHA20-POLY1305 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 160AA3A0F02 for <dnsop@ietf.org>; Fri, 11 Mar 2022 02:26:31 -0800 (PST)
Date: Fri, 11 Mar 2022 15:56:25 +0530
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=mukund.org; s=mail; t=1646994388; bh=55euPfNX+K9nrxrZbWTXrRdOdZlWXn0JgVlX4RI384k=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=BaqVFONpkisE6I3TG7c4YHmxX/yCO4MCVTUDpjHV/3pks4MOnmbU+/6j32Wi4K9dg pnog0R8x1ZitqurbwoZIIJR+deXjff8lBft1xbkc+DloawUlmbyemUYc/3eh2xKcia cEMnsK2lzxPfFJX9hRq9D6VHgsmzQsdTH36stokc=
From: Mukund Sivaraman <muks@mukund.org>
To: Paul Vixie <paul=40redbarn.org@dmarc.ietf.org>
Cc: Tim Wicinski <tjw.ietf@gmail.com>, dnsop <dnsop@ietf.org>
Message-ID: <Yisj0X1NZ+RryilX@d1>
References: <88A0AA7A-01B8-4C7E-9A9A-1FB29C9FB18B@icann.org> <20220311.114445.338879450243418596.yasuhiro@jprs.co.jp> <CADyWQ+GWrjjSxb2cvLHL0Juvx95iaO__p_8--NqwwmMCTz61vw@mail.gmail.com> <42aa1418-48d7-25c5-c1b0-04811a6fe024@redbarn.org>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="UgVdlG0aYFn4UQt4"
Content-Disposition: inline
In-Reply-To: <42aa1418-48d7-25c5-c1b0-04811a6fe024@redbarn.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/xclpCDcDsLuMrfs1OeqmOg9qH8o>
Subject: Re: [DNSOP] Is DNSSEC a Best Current Practice?
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 11 Mar 2022 10:26:38 -0000
On Fri, Mar 11, 2022 at 01:49:41AM -0800, Paul Vixie wrote: > Tim Wicinski wrote on 2022-03-11 01:38: > > ... for several years now I have > > felt those two need to be republished with all > > the updated text from the many updates (28 for 1035, 18 for 1034) in new > > documents. This does not include any other > > changes, and it feels like a thankless task. > not just thankless but useless. a correctness preserving rewrite, from > scratch, should be performed every few decades. (we're overdue.) a goal > should be readability which will require NOT reusing most of the original > text or including the updated text. we often didn't know or otherwise > misstated our implications. every material statement made by any prior DNS > specification or update to the specification should be enumerated and > checked off as its then-modern meaning is incorporated. > > i'll offer to join a team to work on this when i eventually retire, if it > hasn't been recently enough done at that time. so, i think, should other > guilty parties. Some years back, I tried to begin a "squash" document along these lines, but like many other drafts, it was abandoned. When discussing it with colleagues, most had the opinion that this was a wasteful endeavour. Opinions were that it was too much work, that the landscape was changing too much and a new document would become obsolete too. https://datatracker.ietf.org/doc/html/draft-muks-dnsop-dns-squash-01 I've assisted new DNS developers in the course of my work. From this experience, there should be an effort to make a new modern document as the details of correctly implementing DNS are scattered in too many RFCs and drafts. It is daunting for a newcomer to navigate unless they have read all the RFCs prior and know where to find what. As an example, 2 weeks ago I was asked by a colleage why when parsing a CNAME response a resolver discards the links of the CNAME chain except for the link with the owner name it queried for (unless it can validate the other links). The way this requirement is written in the corresponding RFC, it's difficult to search and find the appropriate RFC. If someone is implementing DNS functionality afresh, they may even miss such requirements because they're all over the place. Mukund
- [DNSOP] Is DNSSEC a Best Current Practice? Paul Hoffman
- Re: [DNSOP] Is DNSSEC a Best Current Practice? Paul Wouters
- Re: [DNSOP] Is DNSSEC a Best Current Practice? Tim Wicinski
- Re: [DNSOP] Is DNSSEC a Best Current Practice? Stephen Farrell
- Re: [DNSOP] Is DNSSEC a Best Current Practice? Bill Woodcock
- Re: [DNSOP] Is DNSSEC a Best Current Practice? Grant Taylor
- Re: [DNSOP] Is DNSSEC a Best Current Practice? Colm MacCárthaigh
- Re: [DNSOP] Is DNSSEC a Best Current Practice? Livingood, Jason
- Re: [DNSOP] Is DNSSEC a Best Current Practice? Grant Taylor
- Re: [DNSOP] Is DNSSEC a Best Current Practice? Yasuhiro Orange Morishita / 森下泰宏
- Re: [DNSOP] Is DNSSEC a Best Current Practice? Tim Wicinski
- Re: [DNSOP] Is DNSSEC a Best Current Practice? Paul Vixie
- Re: [DNSOP] Is DNSSEC a Best Current Practice? Mukund Sivaraman
- Re: [DNSOP] Is DNSSEC a Best Current Practice? Tim Wicinski
- Re: [DNSOP] Is DNSSEC a Best Current Practice? Masataka Ohta
- Re: [DNSOP] Is DNSSEC a Best Current Practice? Viktor Dukhovni
- [DNSOP] DNSSEC as a Best Current Practice Paul Hoffman
- Re: [DNSOP] DNSSEC as a Best Current Practice Masataka Ohta
- Re: [DNSOP] DNSSEC as a Best Current Practice Paul Wouters
- Re: [DNSOP] DNSSEC as a Best Current Practice Masataka Ohta
- Re: [DNSOP] DNSSEC as a Best Current Practice Ted Lemon
- Re: [DNSOP] DNSSEC as a Best Current Practice Paul Wouters
- Re: [DNSOP] DNSSEC as a Best Current Practice Paul Wouters
- Re: [DNSOP] DNSSEC as a Best Current Practice Masataka Ohta
- Re: [DNSOP] DNSSEC as a Best Current Practice Masataka Ohta
- Re: [DNSOP] DNSSEC as a Best Current Practice Ted Lemon
- Re: [DNSOP] DNSSEC as a Best Current Practice Masataka Ohta
- Re: [DNSOP] DNSSEC as a Best Current Practice Paul Wouters
- Re: [DNSOP] DNSSEC as a Best Current Practice Masataka Ohta
- Re: [DNSOP] DNSSEC as a Best Current Practice Jim Reid
- Re: [DNSOP] DNSSEC as a Best Current Practice Masataka Ohta
- Re: [DNSOP] DNSSEC as a Best Current Practice Paul Wouters
- Re: [DNSOP] DNSSEC as a Best Current Practice Masataka Ohta
- Re: [DNSOP] DNSSEC as a Best Current Practice Masataka Ohta
- Re: [DNSOP] DNSSEC as a Best Current Practice Jim Reid
- Re: [DNSOP] DNSSEC as a Best Current Practice Masataka Ohta
- Re: [DNSOP] DNSSEC as a Best Current Practice David Conrad
- Re: [DNSOP] DNSSEC as a Best Current Practice Brian Dickson
- Re: [DNSOP] DNSSEC as a Best Current Practice Masataka Ohta
- Re: [DNSOP] DNSSEC as a Best Current Practice Bjørn Mork
- Re: [DNSOP] DNSSEC as a Best Current Practice Masataka Ohta
- Re: [DNSOP] DNSSEC as a Best Current Practice Bjørn Mork
- Re: [DNSOP] DNSSEC as a Best Current Practice Joe Abley
- Re: [DNSOP] DNSSEC as a Best Current Practice Masataka Ohta
- Re: [DNSOP] DNSSEC as a Best Current Practice Masataka Ohta
- Re: [DNSOP] DNSSEC as a Best Current Practice Paul Wouters
- Re: [DNSOP] DNSSEC as a Best Current Practice Masataka Ohta
- Re: [DNSOP] [Ext] DNSSEC as a Best Current Practi… Paul Hoffman
- Re: [DNSOP] DNSSEC as a Best Current Practice Brian Dickson
- Re: [DNSOP] DNSSEC as a Best Current Practice Ted Lemon
- Re: [DNSOP] [Ext] DNSSEC as a Best Current Practi… Masataka Ohta
- Re: [DNSOP] DNSSEC as a Best Current Practice Masataka Ohta
- Re: [DNSOP] DNSSEC as a Best Current Practice Masataka Ohta
- Re: [DNSOP] DNSSEC as a Best Current Practice Paul Wouters
- Re: [DNSOP] DNSSEC as a Best Current Practice Masataka Ohta
- Re: [DNSOP] DNSSEC as a Best Current Practice Dr Eberhard W Lisse
- Re: [DNSOP] DNSSEC as a Best Current Practice Masataka Ohta
- Re: [DNSOP] DNSSEC as a Best Current Practice Dr Eberhard W Lisse
- Re: [DNSOP] DNSSEC as a Best Current Practice Masataka Ohta
- Re: [DNSOP] DNSSEC as a Best Current Practice Ted Lemon
- Re: [DNSOP] DNSSEC as a Best Current Practice Masataka Ohta
- Re: [DNSOP] DNSSEC as a Best Current Practice Paul Vixie
- Re: [DNSOP] DNSSEC as a Best Current Practice Masataka Ohta
- Re: [DNSOP] DNSSEC as a Best Current Practice Masataka Ohta
- Re: [DNSOP] DNSSEC as a Best Current Practice Masataka Ohta
- Re: [DNSOP] DNSSEC as a Best Current Practice Paul Wouters
- Re: [DNSOP] DNSSEC as a Best Current Practice Masataka Ohta
- Re: [DNSOP] DNSSEC as a Best Current Practice Bjørn Mork
- Re: [DNSOP] DNSSEC as a Best Current Practice Brian Dickson
- Re: [DNSOP] DNSSEC as a Best Current Practice Masataka Ohta
- Re: [DNSOP] DNSSEC as a Best Current Practice Masataka Ohta
- Re: [DNSOP] [Ext] DNSSEC as a Best Current Practi… Paul Hoffman
- Re: [DNSOP] DNSSEC as a Best Current Practice Paul Wouters
- Re: [DNSOP] [Ext] DNSSEC as a Best Current Practi… Masataka Ohta
- Re: [DNSOP] [Ext] DNSSEC as a Best Current Practi… Jerry Lundström
- Re: [DNSOP] DNSSEC as a Best Current Practice Masataka Ohta
- Re: [DNSOP] DNSSEC as a Best Current Practice Masataka Ohta
- Re: [DNSOP] DNSSEC as a Best Current Practice Paul Wouters
- Re: [DNSOP] [Ext] DNSSEC as a Best Current Practi… Jim Reid
- Re: [DNSOP] DNSSEC as a Best Current Practice Masataka Ohta
- Re: [DNSOP] DNSSEC as a Best Current Practice james
- Re: [DNSOP] DNSSEC as a Best Current Practice Paul Wouters
- Re: [DNSOP] DNSSEC as a Best Current Practice Tim Wicinski
- Re: [DNSOP] DNSSEC as a Best Current Practice Mukund Sivaraman
- Re: [DNSOP] DNSSEC as a Best Current Practice Masataka Ohta