[dns-operations] Nay-saying technology was Re: uspto.gov

Edward Lewis Ed.Lewis at neustar.biz
Tue May 18 14:35:10 UTC 2010

At 9:26 +0200 5/18/10, Stephane Bortzmeyer wrote:
>On Mon, May 17, 2010 at 10:13:06PM +0200,
>  bert hubert <bert.hubert at netherlabs.nl> wrote
>  a message of 47 lines which said:
>>  This is a datapoint that the care level for DNSSEC in production is
>>  still set to 'meh'.
>IPv6 had the same problem for a very long time (and still is in many
>places, for instance in the USA). Be patient :-)

Every now and then the list gets outbursts of "we don't want to do 
DNSSEC" or "DNSSEC is too much work for too little gain" followed by 
messages claiming that "you are spreading FUD."  In an ideal world, 
we would not have this cycle (it's a cycle because it gets nowhere.)

In 2008, after 2 years of pondering non-advancement on DNSSEC 
deployment (it had stalled since 2006 at least) I gave a talk called 
"Maybe it's the journey and not the Destination" - the point was that 
we gained a lot of knowledge of the protocol over the years but that 
the remaining work from that point exceeded what appeared to be the 

As one person has told me internally "DNSSEC is like bringing a tank 
to swat a fly."  What Dan did was turn the fly into a rampaging lion. 
A more formidable target than a fly, but still a tank is probably 

I followed up the talk a few months later with "DNSSEC: Coming or 
Looming."  Coming is an optimistic word, looming a pessimistic word, 
this talk was given after the description of the bug described by Dan 

At the time I gave the latter talk (September 2008), someone asked me 
what I thought about DNSSEC deployment.  I said - "well, I would 
never say 'only over my dead body' because that's a bad corner to be 
painted into."  OTOH, I still, to this day wouldn't hold up a banner 
saying "Go! DNSSEC, Go!" but, if it is coming, I'm resigned to it - 
or you could say I'm looking forward to it.  Really, I'm looking 
forward to the deployment being finished (one way or the other).

At the RIPE meeting, an old statement made by a professor finally 
(after 25 years) made sense to me.  It was "don't fall in love with a 
model."  He was talking to a bunch of newly entranced graduate 
students.  We chuckled that it meant "you guys won't get fashion 
models for dates" but it eventually dawned on me that he was saying 
"never leave sight of why you are here - to serve solutions to the 
world's problems.  You might develop a world model of how you think 
things should be, but that should always be back seat to serving the 
public good."  It wasn't meant to stir up passions for public 
service, but a warning that if you don't respond to the public, you 
will wind up like Don Quixote (tilting at windmills). 

DNSSEC is not mandatory, no one has to lift a finger because of this. 
If you are writing code or operating a service and the public desires 
it, you have the choice to either take it on and keep up serving your 
public or begin to turn them away.  If the public wants it, they will 
find it.  When you think the "public is crazy" look in the mirror and 
see if there's a Sancho Panza standing behind you.

Being one of the originators of DNSSEC, I stopped being a fan of it 
long ago.  It's not that I don't like it or see flaws in it or have 
any issue with.  I think it is a good design.  However, it's not up 
to me to "determine the bus route" - DNSSEC is simply a mechanism 
with set costs and workload and a set of targets and features.  It 
isn't a culture or a way of life or a statement of values.  The 
adoption of DNSSEC will come from demand to have a safer DNS.

Over time that fly, now a lion, may become a target appropriate for a 
tank.  The question for members of the list is whether you want to be 
involved in building the tank in the anticipation that the target 
does grow or whether you are going to sit this out and expend your 
time and energy on other issues out there.

DNSSEC isn't easy.  But it's the best security we have for the data 
plane in DNS. Is it worth the cost to do it?  It depends on what you 
are afraid of.

Edward Lewis
NeuStar                    You can leave a voice message at +1-571-434-5468

Discussing IPv4 address policy is like deciding what to eat on the Titanic.

More information about the dns-operations mailing list