[dns-operations] DNSSEC DANE testing

Vernon Schryver vjs at rhyolite.com
Fri Aug 3 11:20:37 UTC 2012

> From: =?utf-8?Q?Ond=C5=99ej_Sur=C3=BD?= <ondrej.sury at nic.cz>

> Yeah, that's the attitude.  The protocol document hasn't been published
> yet (but will be out hopefully soon), and was fully baked (aka IETF LC
> finish) like 1-2 month ago and you would ALREADY expect to have a fully
> working implementations?

Yes, and not just 1-2 months ago but a year ago.

> You set yourself unrealistic expectations 

My expectations were set by web sites, public announcements,
and decades writing network code.

>                                           and you torpedo the whole
> thing without even trying to speak to involved people.

Code matters a lot more than what "involved people" might say.  Maybe
I'm behind the times, but I take public announcements of supposedly
working code at face value and as coming from "involved people."
And when did I get the power to torpedo anything?  Whenever pointing
at emperors' private parts is enough to torpedo something, sinking
is inevitable.

> The implementations will come after the protocol is done and the truth
> is that somebody will have to invest in that, they will not magically
> appear out of the thin air.

The IETF does not implement anything, standard user misunderstandings
of network protocol development and implementation not withstanding.

In my network protocol implementation experience (which started many
years before the IETF existed, includes more than IETF protocols, and
by which I don't mean unpacking boxes or editing configuration files),
successful non-trivial protocols have real world use (not just
implementation) before the protocol is frozen by official approval
(even as Proposed).

Conversely, official approval before first public implementation is a
reliable bad sign unless the protocol is very simple, widely demanded,
and entirely non-controversial.  Because DANE is so simple, so wanted,
and so much of the code that it needs is already available, I still
have hope for it, albeit not on a schedule on what used to be called
"Internet time."

The fact that http://www.imperialviolet.org/2011/06/16/dnssecchrome.html
is more than a year old and more complicated than a browser DANE
implementation is both a good and a bad sign.

I think 7 years total was recently described as a good DANE schedule.
Maybe I'm senile, but that feels longer than it took for DNS itself.
RFC 897 has a 1984 date.  I know that DNS was a de facto standard
before 1984+7=1991, because years before 1991 I was responsible for
some .com domain names.

Vernon Schryver    vjs at rhyolite.com

More information about the dns-operations mailing list