IETF Logo Mail Archive

DNSSEC in real life (was: snarls in real life)

Keith Moore <moore@network-heretics.com> Wed, 21 April 2021 23:44 UTC

Return-Path: <moore@network-heretics.com>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 58F973A3BB6 for <ietf@ietfa.amsl.com>; Wed, 21 Apr 2021 16:44:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.617
X-Spam-Level:
X-Spam-Status: No, score=-2.617 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H4=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=messagingengine.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IkbSdP3847Rj for <ietf@ietfa.amsl.com>; Wed, 21 Apr 2021 16:44:45 -0700 (PDT)
Received: from out3-smtp.messagingengine.com (out3-smtp.messagingengine.com [66.111.4.27]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B51923A3BB5 for <ietf@ietf.org>; Wed, 21 Apr 2021 16:44:45 -0700 (PDT)
Received: from compute3.internal (compute3.nyi.internal [10.202.2.43]) by mailout.nyi.internal (Postfix) with ESMTP id 94B6E5C0056 for <ietf@ietf.org>; Wed, 21 Apr 2021 19:44:44 -0400 (EDT)
Received: from mailfrontend2 ([10.202.2.163]) by compute3.internal (MEProxy); Wed, 21 Apr 2021 19:44:44 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to:x-me-proxy :x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm2; bh=m1NwNv peM14RbRKnU5PDwf4EY4dGS5RFa8d1CK/i+Js=; b=NLxC/78Q13Cn30AERT7tlw O29DJoiY4Aq9QF3xBFNgwgEdyw+dc2i5ZQLymdpxVn//75hZizJkbfFC8Ia44xCC /z6OD8GW9nmVDJHAegfhd0/FIM5cpCTSUyRw/cqVGTxeyhRMwLwQmlTREHa6TmV1 1LOmE98azE7PJOGJNrrJviVtZD7D4RUD+axtzL25pi6NoA11cnJMWmXmY/WaNuuo OF1ixvrL9loCBWcFpHnmE36tc+mz/vM0CRq7MxXrXCXYS23vk3OO3Lnrb3n9D/Nl B0hj/bASS24kWVtQO0kADDtCCwJ1rawCXYMavj/35SfVKtqv/gwjqyozBv/BJLhQ ==
X-ME-Sender: <xms:6riAYJH3wJHJBO_tpELIYAwIsea8dBhf2fxxyss6QjblopKMSjXA2A> <xme:6riAYOXKN61ElfpjLdoXmX5PBVZGo3OCeikTtNlHIUhgaZqlXOy6tPLZBja-r9Qp4 ZhORy-pbvNKKw>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeduledrvddtledgvdehucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen uceurghilhhouhhtmecufedttdenucenucfjughrpefuvfhfhffkffgfgggjtgesrgdtre ertdefjeenucfhrhhomhepmfgvihhthhcuofhoohhrvgcuoehmohhorhgvsehnvghtfiho rhhkqdhhvghrvghtihgtshdrtghomheqnecuggftrfgrthhtvghrnhepveefteduieegtd elvddvtddufeejjeffvdefteejieeulefgtdfggedtffektedunecukfhppedvfedruddv gedruddtrddujedtnecuvehluhhsthgvrhfuihiivgeptdenucfrrghrrghmpehmrghilh hfrhhomhepmhhoohhrvgesnhgvthifohhrkhdqhhgvrhgvthhitghsrdgtohhm
X-ME-Proxy: <xmx:67iAYLJ5h3lUKD85aSkQ4Py_WKvPYASVjGS5UzB1uZhlUQYzMfLZFg> <xmx:67iAYPEoAEetA5vYEBhT-4H-4COKoDW6-X6CJsXr4l1WsCPNAtR-zg> <xmx:67iAYPW4SVjukWE1tZsSHenPjKM9idwlXq2ylrlZ__Wc9xzOn6H3og> <xmx:7LiAYMXRzOHuknYyL2OKACTo2Jv6IPl88T17lHnfjXAfXOW4s53s-A>
Received: from [192.168.1.69] (23-124-10-170.lightspeed.knvltn.sbcglobal.net [23.124.10.170]) by mail.messagingengine.com (Postfix) with ESMTPA id D31B81080067 for <ietf@ietf.org>; Wed, 21 Apr 2021 19:44:42 -0400 (EDT)
Subject: DNSSEC in real life (was: snarls in real life)
To: ietf@ietf.org
References: <93fedaa0-5ad0-dcc0-ff01-43b8e1c97989@mtcc.com> <19f2b2e1-6365-480a-86f2-111377cac2de@www.fastmail.com> <7c77e401-4703-3921-d15d-6d69b74df488@mtcc.com> <914f3492-d56b-40ca-b7e0-bbbc65603dfa@dogfood.fastmail.com>
From: Keith Moore <moore@network-heretics.com>
Message-ID: <5b3138e3-0e2d-fd98-ff7e-75c8594b1aef@network-heretics.com>
Date: Wed, 21 Apr 2021 19:44:41 -0400
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.10.0
MIME-Version: 1.0
In-Reply-To: <914f3492-d56b-40ca-b7e0-bbbc65603dfa@dogfood.fastmail.com>
Content-Type: multipart/alternative; boundary="------------D9E1763282A8B2A5303AF9F3"
Content-Language: en-US
Archived-At: <https://mailarchive.ietf.org/arch/msg/ietf/JUN1DUFtCjVIdqe2Rw3kxuqYB_c>
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ietf/>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 21 Apr 2021 23:44:50 -0000

On 4/21/21 6:57 PM, Bron Gondwana wrote:

> Rob wrote "DNSSEC is fragile and easy to get wrong in subtle ways."  I 
> say that DNSSEC is operational poison - it's hard to get right, easy 
> to get wrong, and most importantly hard to debug failures when it 
> happens - your users aren't going to be able to report the cause.  
> It's theoretically good tech, but it clearly isn't getting traction 
> and berating those who choose not to use it doesn't help.
> [...]
>
> And if it makes everything more fragile, that's a downside too.  
> DNSSEC makes things fragile based on the number of big name sites that 
> screw it up every year.  It also makes it much more expensive - DNSSEC 
> is hard to get right and hard to keep right.

I suspect that work invested in getting this fixed (whether that means 
tweaking DNSSEC, better tools, or both) would be a lot more useful (and 
satisfying) than a great many of the ideas that get kicked around on the 
ietf@ list.

Keith

v2.23.0 | Report a Bug | By Email