[dns-operations] [Ext] Re: Cloudflare TYPE65283

Edward Lewis edward.lewis at icann.org
Tue Apr 11 15:55:59 UTC 2023

From: "paul at redbarn.org" <paul at redbarn.org>
Date: Tuesday, April 11, 2023 at 11:11 AM
To: "dns-operations at dns-oarc.net" <dns-operations at dns-oarc.net>, Edward Lewis <edward.lewis at icann.org>
Subject: Re: [dns-operations] [Ext] Re: Cloudflare TYPE65283

>Well, we are overdue for starting over on dnssec, which we used to do every two years or so. But does the next generation have the will to do so?

Good point – and something that I keep in mind all the time…

At some point the operational burden (pain) might justify some re-engineering.

The important word there is “might”.


I make this statement upon hearing more and more discussions about how to dance around the DNSSEC definition, with the background that DNSSEC was designed in an era prior to the current DNS operational environment.  It’s simple to say that operational assumptions made about the DNS were incorrect in the early days of DNSSEC, more accurately, the field of operations as we know it today hadn’t begun.

One of my smoldering interests is “why aren’t new technologies adopted?”  It’s been 25 years since the first meeting to motivate DNSSEC adoption (April 1, 1998, at a lunch during IETF 41, involving DARPA, ISC, and TISlabs).  I’ve seen the approaches of “more free tools”, “more education of operators”, “build a business case” all fail to achieve their mark.  My concern now, especially after hearing Shumon Huque’s DNS-OARC 40 presentation, along with some 1:1’s with operators in recent years, that the obstacles to deployment lie in the nature of how DNSSEC came to be.

I think there’s an overall desire to see DNSSEC succeed (omitting what ‘success’ is for the moment) but there remain technical impediments in the way, some only identified as the field of DNS operations evolves.  There are things that can be fixed, but there needs to be a will to take on the ‘capital investment’ to do the work.  We do know more now that we did a quarter of a century ago.

And, for what it matters, I have some specific ideas I hope to have time to document and propose, this isn’t just a purely philosophical rant.  Well, it could be just a rant, if there’s no will to change.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20230411/0aba0d3b/attachment.html>

More information about the dns-operations mailing list