[dns-operations] .FI going insecure for two weeks (!)

[Andrew Sullivan]

On Fri, Dec 20, 2024 at 08:49:09AM UTC, Bill Woodcock wrote:
>> Our protocol mechanisms should be able to address all possible use cases deployed in the field, not a subset.
>
>I agree with Shumon.  These are both common use-cases, particularly the latter, and multi-signer mechanisms must accommodate them if they’re to be relevant.

To be relevant for what?  It seems that people have forgotten that voluntary standards don't have a way to force people to make implementations the way one might prefer they be made.  Moreover (and perhaps most relevant to the case that kicked off this thread), it is entirely possible that an implementation nominally supports a given deoployment model, but the code path is badly enough tested that a responsible operator might choose not to rely on that code.

It is unfortunate that DNSSEC has demonstrated itself to be awfully complicated in ways many people are not prepared for, and perhaps more unfortunate that at some stages of the protocol's development there were people pushing for simpler or more familiar modes of operation and they were dismissed (at least, that's the way I remember a couple of events).  But it's the protocol that we got, and I think therefore that people are going to have to acknowledge, as Joe Abley did earlier in the thread, that operators will sometimes choose modes of operation that the rest of us wish they would not, just because those are valid alternatives under the protocol.  If that's unacceptable, then it would seem to me the protocol would need an update, and I don't see anyone clamouring for that.

Best regards,

A

-- 
Andrew Sullivan
ajs at anvilwalrusden.com