Re: DNSEXT (premature?) obituary notice

[Paul Vixie <paul@vix.com>]

note, this isn't a rant on ed, it's just that his note crystalized some ideas.

> What I also read from this lingering list of wants and needs is that there
> isn't a lot of real desire to finish off the work.  It's not that folks are
> lazy, the desire to finish off work comes from the work being meaningful
> and rewarding.  I don't see DNS'ers sitting under palm trees drinking
> mai-tais while this list lingers, we are busy doing other work.

there's more to this malaise than being too busy.  there's exhaustion, and
there's what you said, lack of "meaningful and rewarding."  this working group
is a perfect demonstration of "tyranny of the majority".  thirteen (13) years
into the experiment, we're once again at the 11th hour of dnssec as we've been
five times before, and we're now being told that the "auth-follows-delegation"
model (DS vs DLV) are undeployable due to root domain politics and economics.
we are also still working our way through "zonewalking-isn't-acceptable"
(NSEC3 and whitelies), and are apparently about to readdress the previous
answer to "security-can't-be-optional" (opt-in).  most of the stuff we thought
was done, wasn't.  most of what we thought was deployable, isn't.  most of
the people who were willing to "do it over" five times are pondering this 6th.

now, most investors (and most gamblers, and most engineers, and most lovers)
are willing to double down if they think they've still got "a shot at it," but
most want to know "why will this time be any different?"  which requires being
able to determine "why have we failed every time up through now?"  which means
taking a look at the key decisions and processes and cultures that led to five
straight undeployable results (which is to say, "failures").  let's party like
it's still 1994:

2065 failed because eastlake didn't understand DNS and noone else understood
security, so it was effectively ships-passing-in-the-night, unreviewed work,
doomed to burst into flame when the rubber finally met the road.  the IESG
thought they fixed this by merging DNSSEC with DNSIND and calling it DNSEXT,
to make sure subsequent work wasn't done in a double-blind environment.  this
fix seems to have worked-- subsequent failures were all different from this.

who wants to do 2535?  my favorite of all time is still the folks who rained
on opt-in not because they didn't want to use it, but because they didn't want
verisign to be able to use it.  a close second is the folks who thought that
what US-DoC/VeriSign/ICANN needed in order to mend their fences and learn to
live together in peace and harmony was shared responsibility for all of the
world's electronic commerce security.  an honourable mention goes out to the
folks who figured that the TLD operators who tightly restricted AXFR would all
be eager to drop their pants the moment NSEC came out.  and the thing that
makes these most interesting, from an anthropological standpoint, is that the
decisions were all made by what heinlein called "aunt millie" -- well meaning
decent people who considered it their sacred duty to save others from folly.

> I'm in no hurry to see the WG close, but I wonder - who cares if the work
> list is completed?  Does anyone (outside of the WG) care?  *If no one
> cares*, I think it is time we all moved on even with unfinished business.
> If anyone cares, how can they help the WG along to finishing off the list?

i think folks are (rightly) afraid to care, since they've seen what happens
to others who cared.  the majority is still standing by, ready to tyrannize.
IETF is an open-door society, and unless one counts the DNS Directorate,
there is no way to get anything done that anybody objects to.  (noting that
we might now have nearly perfect IP mobility if A6/DNAME had not been killed,
and i mean killed by a non-open non-IETF-like process.)  (and also noting
that the problems now being faced by IPv6 include all of the ones warned
about by the promoters of TUBA.)

> Should we itemize this list into milestones? Should we just forget about
> it?  Where's the energy for all this?  Those are my thoughts.

i believe that the strong desire shown for killing this working group comes
from the irrational belief that if we start over with a new charter and a
new name, the current tryannizing majority will lose interest and/or not be
able to find the next working group, and that only the smart constructive
creative baggage-free non-hating types will join the next mailing list or
attend the next set of meetings.  that's never been seen to work, but hope
springs eternal.  (we should have put more effort into MODA, i guess.)

--
to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/namedroppers/>