Dear colleagues, On Mon, Jul 10, 2017 at 06:16:53PM -0400, Shumon Huque wrote: > negotiation from the beginning, fail open would not have been necessary. > This fail open behavior frequently takes people not in the DNSSEC club by > complete surprise. I've lost track of how many "WTF" moments I've had to > explain to other people about this behavior.
DNSSEC is mostly like that. I think it is because most people used to security extensions are used to them in end to end protocols, and used to failing when the arrangement is not end-to-end. For instance, people also express astonishment that DNSKEYs don't expire. Everyone always has to be reminded that signatures expire, and if you want to expire keys you take them out of the zone. This is not to say, "Stupid users," but instead to say that at least _part_ of the reason DNSSEC violates a lot of expectations is because DNS does. People continue to believe, for example, that there's always one authoritative server, one recursive, and one stub. We all know that's _also_ a bad model, but it's mostly good enough except when it isn't. So, I think one can sympathise completely with the "WTF" moments, but still think the response is, "Yep, this thing violates all your assumptions. Sorry." Best regards, A -- Andrew Sullivan [email protected] _______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
