Re: DNSSEC architecture vs reality

Keith Moore <moore@network-heretics.com> Tue, 13 April 2021 00:45 UTC

Return-Path: <moore@network-heretics.com>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D5FD73A18F5 for <ietf@ietfa.amsl.com>; Mon, 12 Apr 2021 17:45:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, NICE_REPLY_A=-0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=messagingengine.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FO-Db51PlJLd for <ietf@ietfa.amsl.com>; Mon, 12 Apr 2021 17:45:05 -0700 (PDT)
Received: from out5-smtp.messagingengine.com (out5-smtp.messagingengine.com [66.111.4.29]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3B4EB3A18F3 for <ietf@ietf.org>; Mon, 12 Apr 2021 17:45:05 -0700 (PDT)
Received: from compute3.internal (compute3.nyi.internal [10.202.2.43]) by mailout.nyi.internal (Postfix) with ESMTP id 007E65C01A7 for <ietf@ietf.org>; Mon, 12 Apr 2021 20:45:03 -0400 (EDT)
Received: from mailfrontend1 ([10.202.2.162]) by compute3.internal (MEProxy); Mon, 12 Apr 2021 20:45:02 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=content-transfer-encoding:content-type :date:from:in-reply-to:message-id:mime-version:references :subject:to:x-me-proxy:x-me-proxy:x-me-sender:x-me-sender :x-sasl-enc; s=fm2; bh=F7/gZR4H2/QZpJeUifLHGw4voYKT0hkFZMov+jRTL p0=; b=FbPI1U9X6jNenE1KaatwQ2+x9OYy64YgjDcW5D155/DN7PKk5nKCIOjZw Y7JH9CiYWptQqr0cQCr2/rMAgmGre4LPEkIGI+1laqQMZg8mex6Pa3UkMj4ffcUO Isb6OvSXjVwRoBIxQhMKjcyDfitD507s7zOgFHQaci0AvebBcxPet9jKRr4CYezz ZB9xykbiLqRzWQrW9OHnexverQRp6a4MHzmckoN0eip50p1I5SvIfVePtl+7ZgVR sKzwkJAqaQmnkj0OOd46oEQaujLdVtQar5QjWY1RSh0VtzLIz1TIqaxkzSHfxbUQ 9U5wvd6H7xvv5I6KmEGaXpuKWNdXw==
X-ME-Sender: <xms:jul0YKWmbgp0KN0o2MkuYAu632ZboZXCTDGq8PwuzjUJAyiK_39iyg> <xme:jul0YGlO59ijIc-h4JIdxVJ56N4SkwHwvMnYsKrFkZp9zhraYgyewP8MIzRcqpMMe Ejwm3hZ6qPxvQ>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeduledrudekkedgfeejucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen uceurghilhhouhhtmecufedttdenucenucfjughrpefuvfhfhffkffgfgggjtgfgsehtje ertddtfeejnecuhfhrohhmpefmvghithhhucfoohhorhgvuceomhhoohhrvgesnhgvthif ohhrkhdqhhgvrhgvthhitghsrdgtohhmqeenucggtffrrghtthgvrhhnpeekvdeggfelue elkeeuhfffheeghffhkeeuvdduudeihfehudefffdtgfdtkeffgfenucfkphepjeefrddu udefrdduieelrdeiudenucevlhhushhtvghrufhiiigvpedtnecurfgrrhgrmhepmhgrih hlfhhrohhmpehmohhorhgvsehnvghtfihorhhkqdhhvghrvghtihgtshdrtghomh
X-ME-Proxy: <xmx:jul0YOYQG3mTvSfU-uIrTMrLxcTck_JxebCWj6JrpXRt8nnsCPOFkQ> <xmx:jul0YBVCoC4SbpPi07NdSNXfHMGArSXo6lZXPiFWdRMKWLH-o0ZXfg> <xmx:jul0YEnFOjOdFJ4d0X07zHOIwoARCuyGJ8BNKmXgx420JP9eg-VmnQ> <xmx:jul0YCnZ8rrFL4JqsqmKHBzutoQeuP5h1F5tSP9F8xkIYZrZslz2gQ>
Received: from [192.168.30.202] (c-73-113-169-61.hsd1.tn.comcast.net [73.113.169.61]) by mail.messagingengine.com (Postfix) with ESMTPA id 1D89B240054 for <ietf@ietf.org>; Mon, 12 Apr 2021 20:45:02 -0400 (EDT)
Subject: Re: DNSSEC architecture vs reality
To: ietf@ietf.org
References: <YHN5ObR0eqea8Mrc@straasha.imrryr.org> <CABrd9SRdw9baHD5-j9nz4Zv5JjfL35TgaTvS787orEyGxZdKzA@mail.gmail.com> <YHOAzeOj1JaGdmsO@straasha.imrryr.org> <5e91c054-5935-df07-e8ba-09cc78f6c950@network-heretics.com> <YHPSP8Kij2K4v7qQ@straasha.imrryr.org> <82c5fcc6-b419-6efb-b682-b5dbb32905e2@network-heretics.com> <585D8590-472B-4CBC-8292-5BE85521DD76@gmail.com> <a6545baf-b15e-3690-d7b5-be33c4078e02@mtcc.com> <20210412221435.GV9612@localhost> <0755b70e-cc8e-3404-73cd-51950b3d7e53@mtcc.com> <20210412222748.GW9612@localhost> <b0a43f25-c4c2-9f3c-1a42-426a6ef6afa0@mtcc.com> <5F7F84363A52E9AB79CBF9B2@PSB>
From: Keith Moore <moore@network-heretics.com>
Message-ID: <a6375223-6ff0-6ec6-dee6-1d5907bd8c65@network-heretics.com>
Date: Mon, 12 Apr 2021 20:45:00 -0400
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.7.1
MIME-Version: 1.0
In-Reply-To: <5F7F84363A52E9AB79CBF9B2@PSB>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 7bit
Content-Language: en-US
Archived-At: <https://mailarchive.ietf.org/arch/msg/ietf/FQwK1UqCZRC8Gd8Pl3i8x8mtzUE>
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ietf/>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 13 Apr 2021 00:45:07 -0000

On 4/12/21 8:42 PM, John C Klensin wrote:

> Also, it has been years
> since I was involved in large-scale DNS operations (and, by
> today's standards for "large", I never have been),  but it seems
> to me that, if a particular implementation or operational setup
> makes it as hard to deal with a new RR type as your comment
> above suggests, there is something seriously wrong with that
> setup.   And I think the language in 1034/1035 is consistent
> with that view.

+1.

Keith