Re: DNSSEC architecture vs reality

John C Klensin <> Tue, 13 April 2021 00:43 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id D344B3A18E9 for <>; Mon, 12 Apr 2021 17:43:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.896
X-Spam-Status: No, score=-1.896 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id pJPhrBKccZpJ for <>; Mon, 12 Apr 2021 17:43:03 -0700 (PDT)
Received: from ( []) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 749C63A18E6 for <>; Mon, 12 Apr 2021 17:43:03 -0700 (PDT)
Received: from [] (helo=PSB) by with esmtp (Exim 4.82 (FreeBSD)) (envelope-from <>) id 1lW78u-0005KY-OR; Mon, 12 Apr 2021 20:43:00 -0400
Date: Mon, 12 Apr 2021 20:42:54 -0400
From: John C Klensin <>
To: Michael Thomas <>, Nico Williams <>
Subject: Re: DNSSEC architecture vs reality
Message-ID: <5F7F84363A52E9AB79CBF9B2@PSB>
In-Reply-To: <>
References: <> <> <> <> <> <> <> <> <20210412221435.GV9612@localhost> <> <20210412222748.GW9612@localhost> <>
X-Mailer: Mulberry/4.0.8 (Win32)
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
X-SA-Exim-Scanned: No (on; SAEximRunCond expanded to false
Archived-At: <>
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF-Discussion <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 13 Apr 2021 00:43:08 -0000

--On Monday, April 12, 2021 15:43 -0700 Michael Thomas
<> wrote:

> The one thing that bugs me about DANE is its use of a native
> RR type. This is a well trodden argument of doing it proper
> and doing it in a deployable way. We know what happens when
> you do it the "right way" which is usually nothing at all. If
> it started to get popular, we could gin up a TXT record
> alternative though, I suppose. When we were doing DKIM at
> Cisco, our IT folks were incredibly accommodating, but
> implementing a new RR type in their infrastructure would have
> probably been a bridge too far. Heck, I wouldn't be surprised
> if Mark at Y! got told the same thing :)

And I don't want to reopen that argument, but part of it is that
the original plan for TXT RR was essentially as a comment field
that anyone could put anything into that they wanted to convey
to another human.  So, if it is used to express protocol
information, figuring out which protocol and whether the data
field is correct for that protocol is basically a matter for
heuristics, no matter how good one can make them.  If there is a
choice, that is not a really good idea.  Also, it has been years
since I was involved in large-scale DNS operations (and, by
today's standards for "large", I never have been),  but it seems
to me that, if a particular implementation or operational setup
makes it as hard to deal with a new RR type as your comment
above suggests, there is something seriously wrong with that
setup.   And I think the language in 1034/1035 is consistent
with that view.