Re: Quic: the elephant in the room

Michael Thomas <> Sun, 11 April 2021 15:28 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 080E83A10B3 for <>; Sun, 11 Apr 2021 08:28:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.75
X-Spam-Status: No, score=-1.75 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.249, HTML_MESSAGE=0.001, NICE_REPLY_A=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id LrEPylCgwP99 for <>; Sun, 11 Apr 2021 08:28:45 -0700 (PDT)
Received: from ( [IPv6:2607:f8b0:4864:20::62d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 5D21A3A0C02 for <>; Sun, 11 Apr 2021 08:28:45 -0700 (PDT)
Received: by with SMTP id e2so706944plh.8 for <>; Sun, 11 Apr 2021 08:28:45 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=fluffulence; h=subject:to:references:from:message-id:date:user-agent:mime-version :in-reply-to:content-language; bh=ktkuSZvm6DSA/cSZfFOlqDCKsUnDVUjMCZD4fkJDVXU=; b=PdckXaHx7kjHoK00FcI7v5m9ObH8kY70UF2ciF2NteTeebXMH7sj007vgPye9Phh2w HjSpjn/Bkfijz8OD0iCAOWL8M6iYIf9GZb2BMsquawo9oixP05HTOoswjT1mXINk1bOi Vinokw5gA0FVVputf7WNri6EgTKACMObIwXrq1EEy8WGhZolUsNd/SdrV4FmNRKxWUdp 4WChxuNZD2U4CKM038cR9nRaa+kbLwdiMfulfWcoIA4Ha91IcVSrgH4Sz0qyBINyyVQ6 kxGCRQ/IQnvVzZx2Nzs0j4QmMnf5MvA4ZEp43laze8uuMw+8n8ciDqqAATX4aEaEow3p /xIQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:subject:to:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-language; bh=ktkuSZvm6DSA/cSZfFOlqDCKsUnDVUjMCZD4fkJDVXU=; b=pO9rJU92ePJ4C5M+gLS1fmYffrfw+yPBU9R2AS31dCaMJF86W37YoAo0WNgcczPjkq lYQrBcUyMzF4OCASEhQzzlOaXL821MRyuOe7r4jFP8YzFkBtVnRonk8SXe7X4HuaF7ZC NoIahfCXeJyV/f6FlgzjWm617IpYWfTz1LE4Td7wUoVWA/pJOG06N9ZQegDJOJhPgJV4 3APWmCvzKOH0jaLiACUplAofg8v9z+QLr//ZtpMeqvmrcA65v0D0Tn8eKfOPlYux1vv7 eJtRYB97LpYLmVdHb0PQKFv6zp2BeuzFDeAp/tVMQfFH3aO7tUYpxsNSbzQWTP3i/Gaw nYfg==
X-Gm-Message-State: AOAM533UsTROtEQNVWxXrsozkS7mEv26s5b8AARMoy9wCOrX7bOPpjxF 8oYeSc4lL/vrBI0GsTdTC5N/JEvcDXPCkA==
X-Google-Smtp-Source: ABdhPJwJWrLrpZJoNGF95IDeSGPpq+anlatnyMu8qcQ805nvhfpaYHkeaDzOuj/8A/gOn7rjl1ZedQ==
X-Received: by 2002:a17:902:b40e:b029:e9:51e:477f with SMTP id x14-20020a170902b40eb02900e9051e477fmr22008841plr.55.1618154922993; Sun, 11 Apr 2021 08:28:42 -0700 (PDT)
Received: from mike-mac.lan ( []) by with ESMTPSA id y68sm9133025pgy.5.2021. for <> (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Sun, 11 Apr 2021 08:28:42 -0700 (PDT)
Subject: Re: Quic: the elephant in the room
References: <> <> <> <> <20210410175712.GF9612@localhost> <> <20210410195048.GG9612@localhost> <> <> <> <> <>
From: Michael Thomas <>
Message-ID: <>
Date: Sun, 11 Apr 2021 08:28:41 -0700
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:78.0) Gecko/20100101 Thunderbird/78.9.0
MIME-Version: 1.0
In-Reply-To: <>
Content-Type: multipart/alternative; boundary="------------F38C9681CC5C90E536B5BADF"
Content-Language: en-US
Archived-At: <>
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF-Discussion <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Sun, 11 Apr 2021 15:28:50 -0000

On 4/11/21 7:56 AM, Phillip Hallam-Baker wrote:
> On Sun, Apr 11, 2021 at 12:36 AM Viktor Dukhovni 
> < <>> wrote:
>     On Sun, Apr 11, 2021 at 12:20:28AM -0400, Phillip Hallam-Baker wrote:
>     > Only VERIFYING digital signatures provides security. And nobody
>     knows what
>     > to do when DNSSEC validation fails so nobody really does it
>     This is false both in premise and conclusion.  I was tempted to ignore
>     the rest of the post, but ...
> If nobody is ever going to check the sigs, they could simply be random 
> bytes.
> I had a PGP sig on some of my USENET posts for a while. Nobody ever 
> checked
> it and nobody ever noticed it was a static sig that never changed.

If Google implemented DANE in Chrome, that's who checks. It's really 
that simple.

> To justify the deployment of a new infrastructure, I do have to show that
> backporting is infeasible. I have paid particular attention to the 
> reason for
> the failure of DNSSEC and DANE precisely because I want to understand what
> the criteria are for success.

My take is that the reason for lack of uptake is that they are viewed as 
essentially superfluous. The same thing happened to SCTP as it was 
painful to get kernel adoption and firing up multiple TCP streams was a 
good enough bandaid. Then Quic came around with the goal of greatly 
reducing the setup time and finally fixing HoL blocking, and also 
learning that external dependencies is a good route to /dev/null. Google 
and others are completely at liberty to finish the job with Quic by 
adopting DANE and finally get back to a 3 way handshake (on average or 
possibly always). And they don't need to ask your, my, or anybody else's 
opinion on the matter which is a Good Thing.