Re: [DNSOP] [dns-operations] dnsop-any-notimp violates the DNS standards

Paul Vixie <> Sat, 14 March 2015 02:59 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 3377D1A9166 for <>; Fri, 13 Mar 2015 19:59:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -0.506
X-Spam-Status: No, score=-0.506 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_IMAGE_ONLY_28=1.404, HTML_MESSAGE=0.001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id B9CKcvkZ0LUW for <>; Fri, 13 Mar 2015 19:59:38 -0700 (PDT)
Received: from ( [IPv6:2001:559:8000:cd::5]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id BDE3C1A9163 for <>; Fri, 13 Mar 2015 19:59:37 -0700 (PDT)
Received: from [IPv6:2001:200:0:ff30:8b2:d1f7:7042:55e2] (unknown [IPv6:2001:200:0:ff30:8b2:d1f7:7042:55e2]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by (Postfix) with ESMTPSA id A37681814C; Sat, 14 Mar 2015 02:59:35 +0000 (UTC)
Message-ID: <>
Date: Sat, 14 Mar 2015 11:59:30 +0900
From: Paul Vixie <>
User-Agent: Postbox 3.0.11 (Windows/20140602)
MIME-Version: 1.0
To: Nicholas Weaver <>
References: <> <> <> <> <> <> <>
In-Reply-To: <>
X-Enigmail-Version: 1.2.3
Content-Type: multipart/alternative; boundary="------------010204040708030808010107"
Archived-At: <>
Cc: "" <>, Morizot Timothy S <>
Subject: Re: [DNSOP] [dns-operations] dnsop-any-notimp violates the DNS standards
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF DNSOP WG mailing list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Sat, 14 Mar 2015 02:59:39 -0000

> Nicholas Weaver <>
> Saturday, March 14, 2015 5:07 AM
> ...
> Overall, unless you are validating on the end host rather than the
> recursive resolver, DNSSEC does a lot of harm from
> misconfiguration-DOS, but almost no good.

several of us jumped for joy in 2008 when kaminsky showed rdns poisoning
to be a trivial exercise, because it finally provided justification for
what was at that time 12 years of apparently-wasted effort on DNSSEC.

you're entirely right that the end-system case (for example, DANE) is
the only actual justification for the added costs and risks of Secure
DNS, and you'd be right if you said that the current system is both
over- and under-engineered for this sole actual use case.

because it takes so many years to get everybody's permission to make any
change to the DNS protocol, and so many more years to get everybody's
permission to make any change of this magnitude to the root zone, the
cost of giving up and starting over necessarily includes not just the
tear-down but the re-negotiation. not practical.

so we'll keep pushing the crap system we have, uphill all the way, noone
loving it, and almost everyone in fact hating it. we've now spent more
calendar- and person-years on DNSSEC than was spent on the entire IPv4
protocol suite (including DNS itself) as of 1996 when the DNSSEC effort
began. ugly, ugly, ugly.

Paul Vixie