Re: DNSSEC architecture vs reality

Keith Moore <> Tue, 13 April 2021 01:03 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 1DB913A198D for <>; Mon, 12 Apr 2021 18:03:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.898
X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, NICE_REPLY_A=-0.001, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 5zeeTll2j9DY for <>; Mon, 12 Apr 2021 18:03:10 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id A67A73A198C for <>; Mon, 12 Apr 2021 18:03:10 -0700 (PDT)
Received: from compute6.internal (compute6.nyi.internal []) by mailout.nyi.internal (Postfix) with ESMTP id 2EDBC5C008F for <>; Mon, 12 Apr 2021 21:03:09 -0400 (EDT)
Received: from mailfrontend1 ([]) by compute6.internal (MEProxy); Mon, 12 Apr 2021 21:03:09 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=; h=content-transfer-encoding:content-type :date:from:in-reply-to:message-id:mime-version:references :subject:to:x-me-proxy:x-me-proxy:x-me-sender:x-me-sender :x-sasl-enc; s=fm2; bh=9sSKN5d4la0x8k4MKsyMBfrQ5uynoo3Pfhpx81GQs Wo=; b=aZABCFa9xWIBtZ5B4B0dET0MdrBNiZ1THJ/IL+op1h/RwNRU4jBEoRyrR AhYcVmJkolEngXcNBvo/J/qMUW4Svks3PTgH6Hll1+7y8gXqZMmdBE9lw4TwQVVK CokT2fuKUKJTgmllukTvjy167E0vySEn2fLfmunMEOR8HCo6sGWlsdyeMhmwj022 6mcYLA26Uk+d+vJtppVsJXrtTxwtzxDQ7PXm/up5DWuyRDg4qYbr8YaYDjRdBV8L gfp1FASnz2+MVoxgFXvZqXhZFckX72EaClpxYqTA29SDQDo1qVla8yygIxyPcE5D fQd5SuL3reO+Bp15eRXbJyybBkjqA==
X-ME-Sender: <xms:zO10YGpR4yXu_60Wljm6sA8sTcpMHZbLca0WUVWEF7zLqA70TOimxg> <xme:zO10YI_RPvTuIUdVFb7euK8hbTjwTlgyX1PZghOo3Id0xZxsAmnDwYZJcRYhNB3UB h6whulxZzGBng>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeduledrudekkedggeduucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen uceurghilhhouhhtmecufedttdenucenucfjughrpefuvfhfhffkffgfgggjtgfgsehtje ertddtfeejnecuhfhrohhmpefmvghithhhucfoohhorhgvuceomhhoohhrvgesnhgvthif ohhrkhdqhhgvrhgvthhitghsrdgtohhmqeenucggtffrrghtthgvrhhnpeekvdeggfelue elkeeuhfffheeghffhkeeuvdduudeihfehudefffdtgfdtkeffgfenucfkphepjeefrddu udefrdduieelrdeiudenucevlhhushhtvghrufhiiigvpedtnecurfgrrhgrmhepmhgrih hlfhhrohhmpehmohhorhgvsehnvghtfihorhhkqdhhvghrvghtihgtshdrtghomh
X-ME-Proxy: <xmx:zO10YKVmbnyvKROvAr-W0VjVaO1falbPHYBpQzbb0tD22I6TJBB-6g> <xmx:zO10YODpJ5OCLwu5f7JkmJijsJT8zka1eJo8tkcNvRIqF_21gLkEdg> <xmx:zO10YLzcG5OU0ohkIvVUjikQgAgrhyyXoipwy8g9zN9LWiN8B2kUJg> <xmx:ze10YDhLI8LyQZif-z_ZaQail3ZmLi64JknWmkHtGCPU6BpnJw31GQ>
Received: from [] ( []) by (Postfix) with ESMTPA id F1D37240065 for <>; Mon, 12 Apr 2021 21:03:05 -0400 (EDT)
Subject: Re: DNSSEC architecture vs reality
References: <> <> <> <> <> <> <> <> <20210412221435.GV9612@localhost> <> <20210412222748.GW9612@localhost> <> <5F7F84363A52E9AB79CBF9B2@PSB> <> <>
From: Keith Moore <>
Message-ID: <>
Date: Mon, 12 Apr 2021 21:03:05 -0400
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.7.1
MIME-Version: 1.0
In-Reply-To: <>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 7bit
Content-Language: en-US
Archived-At: <>
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF-Discussion <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 13 Apr 2021 01:03:15 -0000

On 4/12/21 8:50 PM, Michael Thomas wrote:

> The problem is that it's not this simple. Software needs to change to 
> implement new RR types which inevitably begs the question "what's in 
> it for me?" 

Well of course software has to change to implement new RR types, because 
old software wasn't going to query for those RRs and if it got those RRs 
back in a response it would have to ignore them.

But DNS itself shouldn't have to change to implement new RR types, more 
than (perhaps) adding a line to a table that says RR type NN has ASCII 
name XX and the following types of parameters. And that table should be 
globally and securely accessible. Encode the table in DNS somehow, put 
it in the root zone or other zone managed by the root, give it a very 
long TTL, and sign it with DNSSEC.