Issue 1382 (was: Re: [ietf-dkim] New Issue: New resource record
pbaker at verisign.com
Mon Oct 16 11:08:23 PDT 2006
I am very unhappy with the past behavior of the DNS directorate. In particular they have in the past demonstrated a complete failure to accept the fact that protocols have to be compatible with deployment constraints.
DNSSEC has been delayed at least five years due to arguments over the importance of deployment constraints. This is not a community that is sufficiently in touch with reality to be relied on.
There is no point in accepting a boat anchor being added to the protocol for the sake of getting through IESG review. At the end of the day the IESG review has much less importance than the deployability of the protocol.
In particular nobody seems to have noticed the apparent loss of interest in DKIM from a certain party that happens to have one of the DNS servers that would be most affected by the proposal. I am rather more concerned about that than the opinion of the IESG as predicted by the DNS Directorate.
There should be a registry of prefixes for the simple reason that this is now the way that the DNS is extended in practice. There is in fact such a registry, if the IETF does not act it will end up the defacto registry.
> -----Original Message-----
> From: ietf-dkim-bounces at mipassoc.org
> [mailto:ietf-dkim-bounces at mipassoc.org] On Behalf Of Stephen Farrell
> Sent: Monday, October 16, 2006 10:21 AM
> To: Scott Kitterman
> Cc: ietf-dkim at mipassoc.org
> Subject: Issue 1382 (was: Re: [ietf-dkim] New Issue: New
> resource record type)
> The last time we met we had this same issue wrt key records
> with the result shown below (excerpted from ).
> I don't personally know if SSP records are in any way
> different from key records, but it does seem to be the case
> that there is some general opposition to (re-)using TXT.
> And we won't really be able to have the discussion with the
> DNS folks (which will be necessary) until we have a concrete
> protocol to discuss with 'em.
> So I'd suggest that we leave this issue  open for now, and
> come back to the topic when we've got a concrete protocol on
> which we can base the discussion.
> Does that sound ok for now?
>  http://tools.ietf.org/wg/dkim/minutes?item=minutes66.html
>  https://rt.psg.com/Ticket/Display.html?id=1382
> "Bellovin on the DNS directorate issue: question about TXT vs
> other RR for _domainkey. Spent 45 minutes at DNS directorate.
> Steve not chair, but consensus. Quoting:
> "The DNS directorate is unhappy with using TXT records this
> way. Some of the reasoning is spelled out in
> draft-iab-dns-choices-03.txt. At the least, a registry of _
> names is needed, with provision for subtyping, but subtyping
> RRs has long been known to be bad . In general, TXT
> overloading can be likened to using HTTP as the universal
> transport protocol; see RFC 3205 for why that's a bad idea.
> A more specific problem for this situation is the issue of wildcards.
> Briefly, you can't have a wildcard _domainkeys record; given
> that email is the major place where wildcards are used, this
> is a serious issue."
> DNSSEC signing records at least may be found below
> _domainkeys and other RRs deliberately or by accident.
> Olafur: If doc says "do not use wildcards" that'd be good.
> Proposes an experiment to acquire a new type if the WG want
> to try that (a fast process apparently).
> Doug - eai may expand record as well as longer keys. Suggests
> that alternative to TXT might be good for that.
> Crocker: Question to Bellovin: Would DNS directorate assert a
> Bellovin: No-one said DISCUSS, but unhappiness. On the plus
> side, its a special record and we don't have to contend with
> other TXT records.
> Way forward: WG will only specify a TXT for keys for now."
> NOTE WELL: This list operates according to
More information about the ietf-dkim