[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: opt-in and large zones

To: Bill Manning <bmanning@ISI.EDU>
Subject: Re: opt-in and large zones
From: bert hubert <ahu@ds9a.nl>
Date: Thu, 19 Sep 2002 12:24:02 +0200
Cc: markk@verisignlabs.com, jaap@sidn.nl, namedroppers@ops.ietf.org
In-reply-to: <200209182256.g8IMu7v12816@boreas.isi.edu>
References: <20020918212324.GA2070@outpost.ds9a.nl> <200209182256.g8IMu7v12816@boreas.isi.edu>
User-agent: Mutt/1.3.28i

On Wed, Sep 18, 2002 at 03:56:07PM -0700, Bill Manning wrote:

> 	Well, to be fair, modulo Pauls grousing about the 12+months it took
> 	to get from DS spec to code, "workable" DNSsec in the form of DS
> 	capable systems is pretty fresh.  Three BIND snapshots.  Roughly 
> 	early June to present.  Hardly time to raise "major issues"
> 	in a revenue-generating, production system.

The interesting thing to note is that right now time is working against
DNSSEC. Originally we received a lot of questions about our DNSSEC
commitment because people assumed that because there was an RFC and DNSSEC
was mentioned in Bind9 release notes, there would be a deployable protocol.

Right now, the perception is growing that DNSSEC is going the way of CORBA,
OSI, X.500 and other flightless protocols. Protocols which are fraught with
difficulties but were designed to please the computer scientist in us.

Even within the DNS community, transparency has not been great. Even we
(PowerDNS) assumed that DNSSEC was workable until Olaf educated us at
HAL2001 about the problems with key rollover and the need for DS. That
conclusion was a long time overdue.

Right now I see you claiming that DNSSEC is innocent until proven guilty by
results from revenue-generating production systems while Phillip, who is
speaking for himself, but important nonetheless, claims that is is
fundamentally broken.

It looks like that the window of opportunity for DNSSEC is closing. Any
initial enthusiasm based on the mistaken perception that the protocol was
ready is now vanishing. The protocol is not getting any simpler and ready to
deploy, which would help counter the lack of buy-in so far.

Perhaps the time has come to reverse some things and design a new DNSSEC
that is more aimed at achieving goals people are waiting for. Perhaps DNS
need not even be the protocol used - DNS in and of itself is a very
simpleminded network API. People wanting security may well want to use a
different protocol instead of riding on the coattails of a 1980s one
not very well suited for large messages and complicated semantics.

Let's not stick to our UDP port 53 packets 'because'. DNSSEC may get a
'boost' because it piggybacks on an existing protocol but the hacks to get
DNSSEC to travel existing infrastructure are getting grosser by the hour -
DS is a case in point. This perceived boost may well have cost us years.

Kind regards,

bert hubert

-- 
http://www.PowerDNS.com          Versatile DNS Software & Services
http://www.tk                              the dot in .tk
http://lartc.org           Linux Advanced Routing & Traffic Control HOWTO

--
to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/namedroppers/>

References:
- Re: opt-in and large zones
  - From: bert hubert <ahu@ds9a.nl>
- Re: opt-in and large zones
  - From: Bill Manning <bmanning@ISI.EDU>

Prev by Date: Re: DNSSEXT Yokohama Minutes
Next by Date: Re: inconsistency between rfc 2136 and rfc 2845
Previous by thread: Re: opt-in and large zones
Next by thread: RE: opt-in and large zones
Index(es):
- Date
- Thread