[dns-operations] Nay-saying technology was Re: uspto.gov
Ed.Lewis at neustar.biz
Tue May 18 14:35:10 UTC 2010
At 9:26 +0200 5/18/10, Stephane Bortzmeyer wrote:
>On Mon, May 17, 2010 at 10:13:06PM +0200,
> bert hubert <bert.hubert at netherlabs.nl> wrote
> a message of 47 lines which said:
>> This is a datapoint that the care level for DNSSEC in production is
>> still set to 'meh'.
>IPv6 had the same problem for a very long time (and still is in many
>places, for instance in the USA). Be patient :-)
Every now and then the list gets outbursts of "we don't want to do
DNSSEC" or "DNSSEC is too much work for too little gain" followed by
messages claiming that "you are spreading FUD." In an ideal world,
we would not have this cycle (it's a cycle because it gets nowhere.)
In 2008, after 2 years of pondering non-advancement on DNSSEC
deployment (it had stalled since 2006 at least) I gave a talk called
"Maybe it's the journey and not the Destination" - the point was that
we gained a lot of knowledge of the protocol over the years but that
the remaining work from that point exceeded what appeared to be the
As one person has told me internally "DNSSEC is like bringing a tank
to swat a fly." What Dan did was turn the fly into a rampaging lion.
A more formidable target than a fly, but still a tank is probably
I followed up the talk a few months later with "DNSSEC: Coming or
Looming." Coming is an optimistic word, looming a pessimistic word,
this talk was given after the description of the bug described by Dan
At the time I gave the latter talk (September 2008), someone asked me
what I thought about DNSSEC deployment. I said - "well, I would
never say 'only over my dead body' because that's a bad corner to be
painted into." OTOH, I still, to this day wouldn't hold up a banner
saying "Go! DNSSEC, Go!" but, if it is coming, I'm resigned to it -
or you could say I'm looking forward to it. Really, I'm looking
forward to the deployment being finished (one way or the other).
At the RIPE meeting, an old statement made by a professor finally
(after 25 years) made sense to me. It was "don't fall in love with a
model." He was talking to a bunch of newly entranced graduate
students. We chuckled that it meant "you guys won't get fashion
models for dates" but it eventually dawned on me that he was saying
"never leave sight of why you are here - to serve solutions to the
world's problems. You might develop a world model of how you think
things should be, but that should always be back seat to serving the
public good." It wasn't meant to stir up passions for public
service, but a warning that if you don't respond to the public, you
will wind up like Don Quixote (tilting at windmills).
DNSSEC is not mandatory, no one has to lift a finger because of this.
If you are writing code or operating a service and the public desires
it, you have the choice to either take it on and keep up serving your
public or begin to turn them away. If the public wants it, they will
find it. When you think the "public is crazy" look in the mirror and
see if there's a Sancho Panza standing behind you.
Being one of the originators of DNSSEC, I stopped being a fan of it
long ago. It's not that I don't like it or see flaws in it or have
any issue with. I think it is a good design. However, it's not up
to me to "determine the bus route" - DNSSEC is simply a mechanism
with set costs and workload and a set of targets and features. It
isn't a culture or a way of life or a statement of values. The
adoption of DNSSEC will come from demand to have a safer DNS.
Over time that fly, now a lion, may become a target appropriate for a
tank. The question for members of the list is whether you want to be
involved in building the tank in the anticipation that the target
does grow or whether you are going to sit this out and expend your
time and energy on other issues out there.
DNSSEC isn't easy. But it's the best security we have for the data
plane in DNS. Is it worth the cost to do it? It depends on what you
are afraid of.
NeuStar You can leave a voice message at +1-571-434-5468
Discussing IPv4 address policy is like deciding what to eat on the Titanic.
More information about the dns-operations