IETF Logo Mail Archive

Re: OFFTOPIC: DNSSEC groupthink versus improving DNS

Duane <duane@e164.org> Fri, 08 August 2008 05:17 UTC

Return-Path: <owner-namedroppers@ops.ietf.org>
X-Original-To: ietfarch-dnsext-archive@core3.amsl.com
Delivered-To: ietfarch-dnsext-archive@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 834593A6C13; Thu, 7 Aug 2008 22:17:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.495
X-Spam-Level:
X-Spam-Status: No, score=-0.495 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FH_RELAY_NODNS=1.451, HELO_MISMATCH_COM=0.553, RDNS_NONE=0.1]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uaoOodxztMrm; Thu, 7 Aug 2008 22:17:38 -0700 (PDT)
Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id 9F4683A68C0; Thu, 7 Aug 2008 22:17:38 -0700 (PDT)
Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from <owner-namedroppers@ops.ietf.org>) id 1KRKFy-00080U-R3 for namedroppers-data@psg.com; Fri, 08 Aug 2008 05:11:18 +0000
Received: from [208.82.100.153] (helo=mail.aus-biz.com) by psg.com with esmtps (TLSv1:AES256-SHA:256) (Exim 4.69 (FreeBSD)) (envelope-from <duane@e164.org>) id 1KRKFv-000806-2j for namedroppers@ops.ietf.org; Fri, 08 Aug 2008 05:11:16 +0000
Received: from [192.168.100.244] (dsl-48-19.qld1.net.au [125.168.48.19]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mail.aus-biz.com (Postfix) with ESMTPSA id 4F4A7FF26C; Fri, 8 Aug 2008 15:11:17 +1000 (EST)
Message-ID: <489BD56E.9070503@e164.org>
Date: Fri, 08 Aug 2008 15:11:10 +1000
From: Duane <duane@e164.org>
User-Agent: Thunderbird 2.0.0.16 (X11/20080724)
MIME-Version: 1.0
To: Brian Dickson <briand@ca.afilias.info>
CC: Namedroppers <namedroppers@ops.ietf.org>
Subject: Re: OFFTOPIC: DNSSEC groupthink versus improving DNS
References: <200808080332.m783WaYI006465@drugs.dv.isc.org> <489BC053.5080904@e164.org> <489BCF1D.20804@ca.afilias.info>
In-Reply-To: <489BCF1D.20804@ca.afilias.info>
X-Enigmail-Version: 0.95.0
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
Sender: owner-namedroppers@ops.ietf.org
Precedence: bulk
List-ID: <namedroppers.ops.ietf.org>

Brian Dickson wrote:

> I don't recall any specific cases being pointed out.

http://ops.ietf.org/lists/namedroppers/namedroppers.2008/msg01264.html

>> Only if you already know DNSSEC mechanisms exist and they haven't been
>> filtered.
> 
> You can't filter DNSSEC mechanisms without that filtration being
> detected (on a validating resolver).
> 
> This includes the ability to determine whether DNSSEC mechanisms exist.
> 
> (The above is predicated on some configured trust anchor, either a
> signed root or via locally configured trust anchors, or DLV.)

That was my point, you have to know about it already one way or another
for it to work, otherwise it can simply be ignored by upstream caching
servers.

> BTW - critical analysis of DNSSEC and alternatives is by no means
> discouraged, and I think any time anyone brings fresh eyes to the
> problem, only good things can come of it - if polite, reasoned discourse
> is the result.

Again I apologise if I've said anything that unduly offended anyone, I'm
merely expressing my opinions based on what I know about certain topics
and I may have made incorrect assumptions and I'm only too happy to be
corrected so I don't make the same mistakes in future.

-- 

Best regards,
 Duane

--
to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/namedroppers/>

v2.23.0 | Report a Bug | By Email