Re: DNSSEC architecture vs reality

Nico Williams <nico@cryptonector.com> Tue, 13 April 2021 16:01 UTC

Return-Path: <nico@cryptonector.com>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8A0403A1CC4 for <ietf@ietfa.amsl.com>; Tue, 13 Apr 2021 09:01:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.119
X-Spam-Level:
X-Spam-Status: No, score=-2.119 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cryptonector.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Uo5T38O6HRYj for <ietf@ietfa.amsl.com>; Tue, 13 Apr 2021 09:01:04 -0700 (PDT)
Received: from catfish.birch.relay.mailchannels.net (catfish.birch.relay.mailchannels.net [23.83.209.32]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BA11D3A1CBB for <ietf@ietf.org>; Tue, 13 Apr 2021 09:00:59 -0700 (PDT)
X-Sender-Id: dreamhost|x-authsender|nico@cryptonector.com
Received: from relay.mailchannels.net (localhost [127.0.0.1]) by relay.mailchannels.net (Postfix) with ESMTP id 23E7E7815D5; Tue, 13 Apr 2021 15:55:39 +0000 (UTC)
Received: from pdx1-sub0-mail-a84.g.dreamhost.com (100-96-16-43.trex.outbound.svc.cluster.local [100.96.16.43]) (Authenticated sender: dreamhost) by relay.mailchannels.net (Postfix) with ESMTPA id B8CD0781FE3; Tue, 13 Apr 2021 15:55:36 +0000 (UTC)
X-Sender-Id: dreamhost|x-authsender|nico@cryptonector.com
Received: from pdx1-sub0-mail-a84.g.dreamhost.com (pop.dreamhost.com [64.90.62.162]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384) by 100.96.16.43 (trex/6.1.1); Tue, 13 Apr 2021 15:55:39 +0000
X-MC-Relay: Good
X-MailChannels-SenderId: dreamhost|x-authsender|nico@cryptonector.com
X-MailChannels-Auth-Id: dreamhost
X-Trade-Chemical: 4fb545a74dcfc422_1618329338905_3610294734
X-MC-Loop-Signature: 1618329338905:3264678622
X-MC-Ingress-Time: 1618329338905
Received: from pdx1-sub0-mail-a84.g.dreamhost.com (localhost [127.0.0.1]) by pdx1-sub0-mail-a84.g.dreamhost.com (Postfix) with ESMTP id ED9637E3D2; Tue, 13 Apr 2021 08:55:35 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=cryptonector.com; h=date :from:to:cc:subject:message-id:references:mime-version :content-type:in-reply-to; s=cryptonector.com; bh=5guj96fbExJRM3 KECb/Mf/NUbME=; b=B7sKnizoZgM+QgamnVkKnsCEVXDXQOsmEm8ghw2/XdrJqQ uSx/42jFTxkevfrfOj35tvyrkeTd0YyNwP4ufvjJaK0RQrusnZRlfudEdhQVEavO HRTf9c7rGvuQjrVjbpyJpfkjeEuo+8hM/oobTP8bYII00pmPu1s85RDWJzbHc=
Received: from localhost (unknown [24.28.108.183]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) (Authenticated sender: nico@cryptonector.com) by pdx1-sub0-mail-a84.g.dreamhost.com (Postfix) with ESMTPSA id D1EB38593C; Tue, 13 Apr 2021 08:55:33 -0700 (PDT)
Date: Tue, 13 Apr 2021 10:55:31 -0500
X-DH-BACKEND: pdx1-sub0-mail-a84
From: Nico Williams <nico@cryptonector.com>
To: Petite Abeille <petite.abeille@gmail.com>
Cc: ietf@ietf.org
Subject: Re: DNSSEC architecture vs reality
Message-ID: <20210413155530.GG9612@localhost>
References: <82c5fcc6-b419-6efb-b682-b5dbb32905e2@network-heretics.com> <585D8590-472B-4CBC-8292-5BE85521DD76@gmail.com> <a6545baf-b15e-3690-d7b5-be33c4078e02@mtcc.com> <20210412221435.GV9612@localhost> <0755b70e-cc8e-3404-73cd-51950b3d7e53@mtcc.com> <20210412222748.GW9612@localhost> <b0a43f25-c4c2-9f3c-1a42-426a6ef6afa0@mtcc.com> <5F7F84363A52E9AB79CBF9B2@PSB> <06a8c3ef-3cd0-e287-b749-d874d9217ecf@mtcc.com> <7918BB03-5D0D-4BAE-AE10-C67087EBE9B0@gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <7918BB03-5D0D-4BAE-AE10-C67087EBE9B0@gmail.com>
User-Agent: Mutt/1.9.4 (2018-02-28)
Archived-At: <https://mailarchive.ietf.org/arch/msg/ietf/KSnhAjEZYrUSpe9e6i1q-AXZLk0>
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ietf/>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 13 Apr 2021 16:01:09 -0000

On Tue, Apr 13, 2021 at 09:55:34AM +0200, Petite Abeille wrote:
> > On Apr 13, 2021, at 02:48, Michael Thomas <mike@mtcc.com> wrote:
> > Oh, don't get me wrong: using TXT records is a colossal hack.
> 
> Perhaps. But a practical one. Perfect is the enemy of good.

The TXT RR thing is a distraction.  I'm all for pragmatism, but the
problem with using TXT RRs for anything other than commentary is that
the form of the name of the RRset is the only TXT RDATA payload type
identification available, which increases the number of distinct
domainnames one has to query, which complicates any concepts like
combining related answers or profiling queries.  Not a fatal problem,
but a very annoying one.

Since TLSA shipped (and SSHFP, and URI, and soon HTTPS and SVCB, and...)
I suspect this sub-thread can only be unproductive.  (Except in so far
as we might end up with something like J. Levine's I-D on RDATA schemas
published.

Nico
--