On 30 Jul 2020, at 17:10, Paul Wouters <[email protected]> wrote:
> On Thu, 30 Jul 2020, Joe Abley wrote:
>
>> My sense is that this is a nice idea in theory but doesn't solve a problem
>> that anybody actually has, and the camel is starting to look a little bit
>> fraught. But I don't think any proposal should succeed or fail based on
>> anybody's uninformed sense, hence the request for more data.
>
> This proposal is meant to increase the amount of trust people can place in
> DNSSEC by decreasing the hard trust that is currently required of ICANN,
> Verisign and the TLD operators. I understand in our community, we do
> not see this as a big problem. Unfortunately outside our community it is.
Can you provide some information about that? I think it would be helpful to
understand the problem that people are bothered by.
> It is further interesting that you raise your point of "the risk analysis
> shows we can never afford to deploy this" when a few months ago you
> raised the reverse point that "we dont want to be forced to have to use
> this to be seen trustworthy". Both arguments cannot be true.
Well, I didn't say that we can never afford to deploy anything. Clearly we can
deploy lots of things all the time. I think I've explained why we couldn't just
turn this on in ORG right now, and so a requirement to do so would be a problem.
The lines of code to be added to particular implementations are not the only
measure of complexity in deployment, however. We don't have a good handle on
all the software that exists between application and authority server, nor how
it interacts. There are costs in resolution failures that appear intermittent
because they happen with some applications, networks or hosts but not others,
assuming that it is deployed anywhere.
If the technical difficulties for particular registries like ORG can be
circumvented but the benefits are not obviously compelling, then there's the
question of why any commercial registry would implement this proposal. If it
needs to happen as a contractual obligation, then that means contract changes
and although that's very much not my area, my sense is that that's a fairly
heavy ball that needs to be rolled up a steep and tall hill. That sounds like a
cost to me.
Without widespread implementation, I'm not sure how the problems (admittedly,
problems that I don't really understand) will actually be addressed. The costs
will remain, however. And right now I haven't heard a single example of a TLD
that might be in a position to implement this (not saying there isn't one, just
that I haven't heard an example).
Joe
_______________________________________________
DNSOP mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dnsop
