Re: Quic: the elephant in the room
Phillip Hallam-Baker <phill@hallambaker.com> Mon, 12 April 2021 14:44 UTC
Return-Path: <hallam@gmail.com>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AF26A3A20D6 for <ietf@ietfa.amsl.com>; Mon, 12 Apr 2021 07:44:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.398
X-Spam-Level:
X-Spam-Status: No, score=-1.398 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FORGED_FROMDOMAIN=0.25, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.249, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mxbXieZF2ybB for <ietf@ietfa.amsl.com>; Mon, 12 Apr 2021 07:44:23 -0700 (PDT)
Received: from mail-qk1-f181.google.com (mail-qk1-f181.google.com [209.85.222.181]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4AD723A20D1 for <ietf@ietf.org>; Mon, 12 Apr 2021 07:44:23 -0700 (PDT)
Received: by mail-qk1-f181.google.com with SMTP id o17so5454637qkl.13 for <ietf@ietf.org>; Mon, 12 Apr 2021 07:44:23 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=f82PWimYQhh6ppBuXLpGR9oC3pkqoGa3iWUvPbcpI+M=; b=QkAzwxYVN5sQYm1Gsxdv7vj2VqjIk3hkfFZQ7QBbdxL9c8tjCqWTq4xR3h36LefX3U FB17RnfEAFPEFiU+Z6U3HpnwKEpFIwkQTbjR5LuWpAqffHtNChDDoX8ddIHEBKehO39P hGmuNafQM3oUDipMHNmu2/LoBAKpB367jrboOZzGhvkT/CIcw0MoHpfy1gg7Gu97nQR7 aPaVLkC67k7szeJc7w1n7zk4qkkFPTbiNznYfidiKHy2/+4e2TvwXle9uDcotohYhcqv qrcGRV+b3jbNJBT72FHSGyVj1TCE3jqqYTOA33rCGhSAzJ3uopyixvD/75jA/YRXgzbW avRg==
X-Gm-Message-State: AOAM530qgbKgFr3Ch3vziAK35iRTV5zZ/YW8GQgm7D0y+yaTccWGGTqN a5Xp2FV7yir53G/A6pL0AJUEuI06vYieCSpe4Js=
X-Google-Smtp-Source: ABdhPJzUU9rwfjMRZ/2mFNVYyjn6pKdAVtUhiItSFX9flIUT4qd1UHHXxEtp37KIW6oQ8JYODjDZPWaiP0gwveA0ahc=
X-Received: by 2002:a25:7752:: with SMTP id s79mr31637033ybc.522.1618238662125; Mon, 12 Apr 2021 07:44:22 -0700 (PDT)
MIME-Version: 1.0
References: <20210412021224.GP9612@localhost> <31A7A397-747D-4099-A3A3-F845137022BD@akamai.com> <20210412002634.GO9612@localhost> <94707E61-D7D2-4494-B88C-E229C8D8F3E4@akamai.com> <YHPAoW8D7K1ew4mQ@straasha.imrryr.org> <3658907C-200F-4E11-8DAE-160D5C8CE429@akamai.com>
In-Reply-To: <3658907C-200F-4E11-8DAE-160D5C8CE429@akamai.com>
From: Phillip Hallam-Baker <phill@hallambaker.com>
Date: Mon, 12 Apr 2021 10:44:12 -0400
Message-ID: <CAMm+LwhG04am4Sn2iWb1tOdUEYnVz5Q-ehHaXk5TStCUC4FC3A@mail.gmail.com>
Subject: Re: Quic: the elephant in the room
To: "Salz, Rich" <rsalz=40akamai.com@dmarc.ietf.org>
Cc: "ietf@ietf.org" <ietf@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000009e2b4f05bfc78c83"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ietf/ybpH0xLU-G-jOtfBvOup2B8j1LI>
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ietf/>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 12 Apr 2021 14:44:28 -0000
Rich brings up a very important point which is worth generalizing: Proposals to change a deployed infrastructure must support every feature of that legacy infrastructure if they are going to be a replacement. People start off saying 'we will build on X because it is widely used'. What they don't realize is that when you do that, you have to spend time discovering and working around all the bizarre ways X is being used. The design of CAA is a case in point, it uses the DNS to publish information and was originally based on one set of assumptions. Between the original spec being written and the CABForum making it a requirement the use of CDNs went from being a niche concern to a common one and that required the handling of wildcards to be retooled. It was the exact same thing with DKIM where most of the work was discovering and working around bizarre corner cases. Any proposal that begins 'lets change the way people use DNS' has a mighty hard lift. And it is not just the technical infrastructure you need to understand, it is the commercial. The reason I was so heavily involved in DKIM was that our resellers were the businesses that would have to implement the TXT records. Ten years after DANE started, my very very large Web hosting provider I use for my secondary hosting does not support TLSA records. And they appear to have no plans to do so. And there are tens of thousands of other similar businesses that have no plans to implement TLSA because doing so is simply going to take revenue out of their pocket. They sell domains at cost and they only make profits from added value services, the biggest of which is selling SSL certificates. Same thing happened with IPv6, for at least the first decade of IPv6, the people working on it naively assumed that the way to make it attractive was to reserve functionality that would only be supported in IPv6. IPSEC being originally part of that. Only gradually did some people start to understand that the applications were not going to make use of any functionality that wasn't supported by at least 95% of the network and so features that were IPv6 only would be uninteresting and unusable. And some folk are still in denial. And the thing that worries me here is that the IETF likes to think of itself as fostering discussion and interworking between specialists in different areas. Which sounds fine in practice only those of us who actually do work at multiple layers are not exactly made to feel welcome anywhere. On Mon, Apr 12, 2021 at 8:58 AM Salz, Rich <rsalz= 40akamai.com@dmarc.ietf.org> wrote: > > > one may as well delegate the TLSA record management to the CDN: > > Sure, if you're never going to switch CDN's. > > Many big customers switch CDN's and will not delegate because, well, they > need to switch. > > There is a whole industry and providers around switching CDN's in real > time. Web-search "Cdn switch" will find them, for example. > > > But any sort of TLSA RR on the customer side, while the cert rollover > are managed by the CDN is too fragile. The TLSA RRs should properly > be published by the CDN as above. > > Sure, if there's one CDN. > > > If indeed sub-minute migration from one CDN to another is required, > then > the TTL for the _443._tcp.[...] CNAME would need to be sub-minute. Is > such a short cutover time really a requirement? > > If millions of dollars of commerce are happening per minute, then yes. Or > the head of state dies and the official news source is overloaded. > > >
- Quic: the elephant in the room Michael Thomas
- Re: Quic: the elephant in the room Phillip Hallam-Baker
- Re: Quic: the elephant in the room Michael Thomas
- Re: Quic: the elephant in the room Ben Laurie
- Re: Quic: the elephant in the room Stephane Bortzmeyer
- Re: Quic: the elephant in the room Ben Laurie
- Re: Quic: the elephant in the room Phillip Hallam-Baker
- Re: Quic: the elephant in the room Michael Thomas
- Re: Quic: the elephant in the room Nico Williams
- Re: Quic: the elephant in the room Viktor Dukhovni
- Re: Quic: the elephant in the room Michael Thomas
- Re: DNS vs PKI, was Quic: the elephant in the room John Levine
- Re: DNS vs PKI, was Quic: the elephant in the room Michael Thomas
- Re: Quic: the elephant in the room Nico Williams
- Re: Quic: the elephant in the room Michael Thomas
- Re: Quic: the elephant in the room Nico Williams
- Re: Quic: the elephant in the room Viktor Dukhovni
- Re: Quic: the elephant in the room Michael Thomas
- Re: Quic: the elephant in the room Michael Thomas
- Re: Quic: the elephant in the room Phillip Hallam-Baker
- Re: Quic: the elephant in the room Viktor Dukhovni
- Re: Quic: the elephant in the room Phillip Hallam-Baker
- Re: Quic: the elephant in the room Ben Laurie
- Re: Quic: the elephant in the room Ben Laurie
- Re: Quic: the elephant in the room Ben Laurie
- Re: Quic: the elephant in the room Michael Thomas
- Re: Quic: the elephant in the room Michael Thomas
- Re: Quic: the elephant in the room Viktor Dukhovni
- Re: Quic: the elephant in the room Michael Thomas
- Re: Quic: the elephant in the room Nico Williams
- Re: Quic: the elephant in the room Nico Williams
- Re: Quic: the elephant in the room Salz, Rich
- Re: Quic: the elephant in the room Michael Thomas
- Re: Quic: the elephant in the room Phillip Hallam-Baker
- Re: Quic: the elephant in the room Michael Thomas
- Re: Quic: the elephant in the room Phillip Hallam-Baker
- Re: Quic: the elephant in the room Nico Williams
- Re: Quic: the elephant in the room Michael Thomas
- Re: Quic: the elephant in the room Phillip Hallam-Baker
- Re: Quic: the elephant in the room Salz, Rich
- Re: Quic: the elephant in the room Ben Laurie
- Re: Quic: the elephant in the room Ben Laurie
- Re: Quic: the elephant in the room Michael Thomas
- Re: Quic: the elephant in the room Viktor Dukhovni
- Re: Quic: the elephant in the room Ben Laurie
- Re: Quic: the elephant in the room Phillip Hallam-Baker
- Re: Quic: the elephant in the room David Conrad
- Re: Quic: the elephant in the room David Conrad
- Re: Quic: the elephant in the room Viktor Dukhovni
- DNSSEC architecture vs reality (was: Re: Quic: th… Keith Moore
- Re: DNSSEC architecture vs reality (was: Re: Quic… Michael Thomas
- Re: Quic: the elephant in the room Nico Williams
- Re: Quic: the elephant in the room Salz, Rich
- Re: Quic: the elephant in the room Nico Williams
- Re: Quic: the elephant in the room Viktor Dukhovni
- Re: Quic: the elephant in the room Phillip Hallam-Baker
- Re: DNSSEC architecture vs reality (was: Re: Quic… Viktor Dukhovni
- Re: Quic: the elephant in the room Andrew McConachie
- Re: DNSSEC architecture vs reality Keith Moore
- Re: DNSSEC architecture vs reality Petite Abeille
- Re: Quic: the elephant in the room Salz, Rich
- Re: Quic: the elephant in the room Salz, Rich
- Re: Quic: the elephant in the room Phillip Hallam-Baker
- Re: DNSSEC architecture vs reality Marco Davids
- Re: Quic: the elephant in the room Phillip Hallam-Baker
- Re: Quic: the elephant in the room Michael Thomas
- Re: Quic: the elephant in the room Michael Thomas
- Re: Quic: the elephant in the room Phillip Hallam-Baker
- Re: Quic: the elephant in the room Michael Thomas
- Re: Quic: the elephant in the room Michael Thomas
- Re: Quic: the elephant in the room Salz, Rich
- Re: Quic: the elephant in the room Phillip Hallam-Baker
- Re: Quic: the elephant in the room Michael Thomas
- Re: Quic: the elephant in the room Michael Thomas
- Re: Quic: the elephant in the room Nico Williams
- Re: Quic: the elephant in the room Viktor Dukhovni
- Re: Quic: the elephant in the room Nico Williams
- Re: Quic: the elephant in the room Viktor Dukhovni
- Re: Quic: the elephant in the room Phillip Hallam-Baker
- Re: Quic: the elephant in the room Michael Thomas
- Re: Quic: the elephant in the room Nico Williams
- Re: Quic: the elephant in the room Nico Williams
- Re: Quic: the elephant in the room Viktor Dukhovni
- Re: Quic: the elephant in the room Michael Thomas
- Re: Quic: the elephant in the room Salz, Rich
- Re: Quic: the elephant in the room Viktor Dukhovni
- Re: Quic: the elephant in the room Phillip Hallam-Baker
- Re: Quic: the elephant in the room Nico Williams
- Re: Quic: the elephant in the room Salz, Rich
- Re: Quic: the elephant in the room Viktor Dukhovni
- Re: Quic: the elephant in the room Salz, Rich
- Re: DNSSEC architecture vs reality Michael Thomas
- Re: DNSSEC architecture vs reality Nico Williams
- Re: DNSSEC architecture vs reality Michael Thomas
- Re: DNSSEC architecture vs reality Nico Williams
- Re: DNSSEC architecture vs reality Michael Thomas
- Re: DNSSEC architecture vs reality Nico Williams
- Re: DNSSEC architecture vs reality Michael Thomas
- Re: DNSSEC architecture vs reality John C Klensin
- Re: DNSSEC architecture vs reality Keith Moore
- Re: DNSSEC architecture vs reality Michael Thomas
- Re: DNSSEC architecture vs reality Michael Thomas
- Re: DNSSEC architecture vs reality Keith Moore
- Re: DNSSEC architecture vs reality Nico Williams
- Re: DNSSEC architecture vs reality Michael Thomas
- Re: DNSSEC architecture vs reality John C Klensin
- Re: DNSSEC architecture vs reality Keith Moore
- Re: DNSSEC architecture vs reality Michael Thomas
- Re: DNSSEC architecture vs reality Nico Williams
- Re: new RRTYPEs, was DNSSEC architecture vs reali… John Levine
- Re: new RRTYPEs, was DNSSEC architecture vs reali… Mark Andrews
- Re: DNSSEC architecture vs reality Petite Abeille
- Re: DNSSEC architecture vs reality Petite Abeille
- Re: DNSSEC architecture vs reality Andrew McConachie
- Re: DNSSEC architecture vs reality Patrik Fältström
- Re: DNSSEC architecture vs reality Eliot Lear
- Re: DNSSEC architecture vs reality Patrik Fältström
- Re: DNSSEC architecture vs reality Patrik Fältström
- Re: new RRTYPEs, was DNSSEC architecture vs reali… John R Levine
- Re: DNSSEC architecture vs reality Nico Williams
- Re: DNSSEC architecture vs reality Nico Williams
- Re: DNSSEC architecture vs reality Jim Fenton
- Re: DNSSEC architecture vs reality Masataka Ohta
- Re: DNSSEC architecture vs reality Petite Abeille
- Re: new RRTYPEs, was DNSSEC architecture vs reali… Phillip Hallam-Baker
- Re: new RRTYPEs, was DNSSEC architecture vs reali… Nico Williams
- Re: new RRTYPEs, was DNSSEC architecture vs reali… Donald Eastlake
- Re: new RRTYPEs, was DNSSEC architecture vs reali… Phillip Hallam-Baker
- Re: new RRTYPEs, was DNSSEC architecture vs reali… Viktor Dukhovni
- Re: new RRTYPEs, was DNSSEC architecture vs reali… Phillip Hallam-Baker
- Re: new RRTYPEs, was DNSSEC architecture vs reali… Vittorio Bertola
- Re: new RRTYPEs, was DNSSEC architecture vs reali… Phillip Hallam-Baker
- Re: Fwd: Quic: the Elephant in the Room Michael Thomas
- Fwd: Quic: the Elephant in the Room Lars Eggert
- RE: Fwd: Quic: the Elephant in the Room Vasilenko Eduard
- Re: Quic: the elephant in the room Ben Laurie
- Re: Quic: the elephant in the room Phillip Hallam-Baker