Re: DNSSEC architecture vs reality

John C Klensin <> Tue, 13 April 2021 01:16 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id AE42C3A19FC for <>; Mon, 12 Apr 2021 18:16:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.897
X-Spam-Status: No, score=-1.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id wf0i5Oj1bFQv for <>; Mon, 12 Apr 2021 18:16:25 -0700 (PDT)
Received: from ( []) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id C79973A19FB for <>; Mon, 12 Apr 2021 18:16:25 -0700 (PDT)
Received: from [] (helo=PSB) by with esmtp (Exim 4.82 (FreeBSD)) (envelope-from <>) id 1lW7fD-0005Tt-B8; Mon, 12 Apr 2021 21:16:23 -0400
Date: Mon, 12 Apr 2021 21:16:17 -0400
From: John C Klensin <>
To: Michael Thomas <>, Nico Williams <>
Subject: Re: DNSSEC architecture vs reality
Message-ID: <D871236156E274EABD68A85D@PSB>
In-Reply-To: <>
References: <> <> <> <> <> <> <> <> <20210412221435.GV9612@localhost> <> <20210412222748.GW9612@localhost> <> <5F7F84363A52E9AB79CBF9B2@PSB> <>
X-Mailer: Mulberry/4.0.8 (Win32)
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
X-SA-Exim-Scanned: No (on; SAEximRunCond expanded to false
Archived-At: <>
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF-Discussion <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 13 Apr 2021 01:16:31 -0000

--On Monday, April 12, 2021 17:48 -0700 Michael Thomas
<> wrote:

> On 4/12/21 5:42 PM, John C Klensin wrote:
>> --On Monday, April 12, 2021 15:43 -0700 Michael Thomas
>> <> wrote:

>> And I don't want to reopen that argument, but part of it is
>> that the original plan for TXT RR was essentially as a
>> comment field that anyone could put anything into that they
>> wanted to convey to another human.  So, if it is used to
>> express protocol information, figuring out which protocol and
>> whether the data field is correct for that protocol is
>> basically a matter for heuristics, no matter how good one can
>> make them.  If there is a choice, that is not a really good
>> idea.  Also, it has been years since I was involved in
>> large-scale DNS operations (and, by today's standards for
>> "large", I never have been),  but it seems to me that, if a
>> particular implementation or operational setup makes it as
>> hard to deal with a new RR type as your comment above
>> suggests, there is something seriously wrong with that setup.
>> And I think the language in 1034/1035 is consistent with that
>> view.
> Oh, don't get me wrong: using TXT records is a colossal hack.
> But operational considerations are like stubborn facts. We had
> to bite the bullet and accept NAT's too. You feel unclean and
> want to wash your hands repeatedly, but you do what you have
> to do.

An interesting analogy.  The difference is that it was widely
perceived that there was no alternative to NATs other than
conversion to IPv6 and that, unless everyone converted to IPv6
on the same day, NATs would be needed to allow interoperability
between IPv6 systems and the remaining IPv4 ones.  If there were
good alternatives, the IETF didn't do a good job of explaining
them and why they were better.

You also wrote:

> The problem is that it's not this simple. Software needs to
> change to implement new RR types which inevitably begs the
> question "what's in it for me?"

Sure.  But (different) software also has to change to implement
(to use the comments that started us down this thread) DANE.
Those changes are to mail software, systems, and configurations,
not DNS support, but they are changes nonetheless.  Yes, other
changes are needed for anything that requires that
authentication or authorization information be stored in the
DNS, but that raises the question of whether DANE's designers
could have put that information somewhere else and whether that
would have been worth it (my guess is that the answer to the
former is "probably" and, to the latter, "probably not", but
that is what gets us to the rant in RFC 8324).

So the answer to your question is "The enterprise has decided
DANE is useful and DNS updates are as much part of the price as
email changes" and, if that is not enough, then either DANE is
not actually needed or the second part of the answer is "want to
keep your job?".


> Mike