On Thu, Aug 07, 2008 at 01:00:51PM +0200, Wouter Wijngaards wrote:
> The best solution is of course DNSSEC. Crypto signatures instead of
> randomisation games. Enable DNSSEC validation now.

Not specifically aimed at you Wouter, but it appears the most vocal people
in the DNS world are starting to suffer from "groupthink".


"A mode of thinking that people engage in when they are deeply involved in a
cohesive in-group, when the members' strivings for unanimity override their
motivation to realistically appraise alternative courses of action"

"Groupthink tends to occur on committees and in large organizations.

For a fine compendium of the kind of statements I mean, please see

DNSSEC cited as "only full solution" to recent DNS vulnerability

"DNSSEC is the only full solution."

"We at ISC hope that this issue will draw attention to DNSSEC, which
in the end will only be the real solution"

And this can't be good - it is leading us to make statements which are
patently untrue, like "turn on DNSSEC to be safe".

Or 79 page presentations called "DNSSEC in six minutes" - giving people 4.6
seconds per page. It is just not real.

Or asking people repeatedly to remove the phrase "under development" when
DNSSEC is referred to as a solution under development - which it patently

If the goal is to deploy DNSSEC quickly, roll out the tools surrounding it,
invent the protocols for getting your keying material upstream, widen the
registry-registrar protocols to fit these records, create the emergency key
rollover procedures (and don't hide the need for them), implement 'auto-sign
yes;' etc etc etc. The only way DNSSEC will ever work if it is only slightly
harder to operate than DNS.

But if you care about DNSSEC, please stop pretending DNSSEC is ready to
deploy and just waiting for people to get around to it.

If you care about DNSSEC, don't hide that it might in itself have security

If you care about DNSSEC, please also stop pretending it is not far harder
to operate than DNS itself. DNS is already considered to be difficult, and
operators mess it up all the time. It is not like adding an 's' to

All these things will come back to haunt you when people actually do follow
the advice to turn on DNSSEC now, and discover they've either done something
that doesn't help (signing without getting the trust anchor used), or have
actually caused their domains to go down, because they did not
institutionalize the key rollover procedures.

("You mean this goes down if I don't re-sign in time? Wow!").

The reason I rant on about this is that I care deeply about DNS, and that
DNS is *currently* under attack. While DNSSEC is agressively branded as a
fine solution, at best, it will be a solution in a few years.

Additionally, given things I've said before, I personally don't think DNSSEC
will ever see wide usage in the real world, so I feel very strongly that not
only do we need to improve DNS in the short term, the short term solution
also needs to be the long term solution.

But no matter what I feel - please everybody take a minute to read the
symptoms of groupthink, and wonder if we are still doing the best job we can
to improve DNS in the real world.

Because that is our goal. I hope.


http://www.PowerDNS.com Open source, database driven DNS Software
http://netherlabs.nl Open and Closed source services

to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.