IETF Logo Mail Archive

Re: [DNSOP] Is DNSSEC a Best Current Practice?

Mukund Sivaraman <muks@mukund.org> Fri, 11 March 2022 10:26 UTC

Return-Path: <muks@mukund.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5DB9F3A0F06 for <dnsop@ietfa.amsl.com>; Fri, 11 Mar 2022 02:26:37 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.11
X-Spam-Level:
X-Spam-Status: No, score=-2.11 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=mukund.org
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AY9dh7DK2l12 for <dnsop@ietfa.amsl.com>; Fri, 11 Mar 2022 02:26:32 -0800 (PST)
Received: from mx.mukund.org (mx.mukund.org [IPv6:2a01:4f8:252:2ade:1::78]) (using TLSv1.2 with cipher ECDHE-RSA-CHACHA20-POLY1305 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 160AA3A0F02 for <dnsop@ietf.org>; Fri, 11 Mar 2022 02:26:31 -0800 (PST)
Date: Fri, 11 Mar 2022 15:56:25 +0530
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=mukund.org; s=mail; t=1646994388; bh=55euPfNX+K9nrxrZbWTXrRdOdZlWXn0JgVlX4RI384k=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=BaqVFONpkisE6I3TG7c4YHmxX/yCO4MCVTUDpjHV/3pks4MOnmbU+/6j32Wi4K9dg pnog0R8x1ZitqurbwoZIIJR+deXjff8lBft1xbkc+DloawUlmbyemUYc/3eh2xKcia cEMnsK2lzxPfFJX9hRq9D6VHgsmzQsdTH36stokc=
From: Mukund Sivaraman <muks@mukund.org>
To: Paul Vixie <paul=40redbarn.org@dmarc.ietf.org>
Cc: Tim Wicinski <tjw.ietf@gmail.com>, dnsop <dnsop@ietf.org>
Message-ID: <Yisj0X1NZ+RryilX@d1>
References: <88A0AA7A-01B8-4C7E-9A9A-1FB29C9FB18B@icann.org> <20220311.114445.338879450243418596.yasuhiro@jprs.co.jp> <CADyWQ+GWrjjSxb2cvLHL0Juvx95iaO__p_8--NqwwmMCTz61vw@mail.gmail.com> <42aa1418-48d7-25c5-c1b0-04811a6fe024@redbarn.org>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="UgVdlG0aYFn4UQt4"
Content-Disposition: inline
In-Reply-To: <42aa1418-48d7-25c5-c1b0-04811a6fe024@redbarn.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/xclpCDcDsLuMrfs1OeqmOg9qH8o>
Subject: Re: [DNSOP] Is DNSSEC a Best Current Practice?
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 11 Mar 2022 10:26:38 -0000

On Fri, Mar 11, 2022 at 01:49:41AM -0800, Paul Vixie wrote:
> Tim Wicinski wrote on 2022-03-11 01:38:
> > ... for several years now I have
> > felt those two need to be republished with all
> > the updated text from the many updates (28 for 1035, 18 for 1034) in new
> > documents.  This does not include any other
> > changes, and it feels like a thankless task.
> not just thankless but useless. a correctness preserving rewrite, from
> scratch, should be performed every few decades. (we're overdue.) a goal
> should be readability which will require NOT reusing most of the original
> text or including the updated text. we often didn't know or otherwise
> misstated our implications. every material statement made by any prior DNS
> specification or update to the specification should be enumerated and
> checked off as its then-modern meaning is incorporated.
> 
> i'll offer to join a team to work on this when i eventually retire, if it
> hasn't been recently enough done at that time. so, i think, should other
> guilty parties.

Some years back, I tried to begin a "squash" document along these lines,
but like many other drafts, it was abandoned. When discussing it with
colleagues, most had the opinion that this was a wasteful
endeavour. Opinions were that it was too much work, that the landscape
was changing too much and a new document would become obsolete too.

https://datatracker.ietf.org/doc/html/draft-muks-dnsop-dns-squash-01

I've assisted new DNS developers in the course of my work. From this
experience, there should be an effort to make a new modern document as
the details of correctly implementing DNS are scattered in too many RFCs
and drafts. It is daunting for a newcomer to navigate unless they have
read all the RFCs prior and know where to find what.

As an example, 2 weeks ago I was asked by a colleage why when parsing a
CNAME response a resolver discards the links of the CNAME chain except
for the link with the owner name it queried for (unless it can validate
the other links). The way this requirement is written in the
corresponding RFC, it's difficult to search and find the appropriate
RFC. If someone is implementing DNS functionality afresh, they may even
miss such requirements because they're all over the place.

		Mukund

v2.23.0 | Report a Bug | By Email