Re: OFFTOPIC: DNSSEC groupthink versus improving DNS
Paul Vixie <vixie@isc.org> Thu, 07 August 2008 15:59 UTC
Return-Path: <owner-namedroppers@ops.ietf.org>
X-Original-To: ietfarch-dnsext-archive@core3.amsl.com
Delivered-To: ietfarch-dnsext-archive@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 1EBE93A6BA2; Thu, 7 Aug 2008 08:59:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.435
X-Spam-Level:
X-Spam-Status: No, score=-0.435 tagged_above=-999 required=5 tests=[AWL=2.164, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id w4RHav3qmzOd; Thu, 7 Aug 2008 08:59:58 -0700 (PDT)
Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id EC4D73A68EF; Thu, 7 Aug 2008 08:59:57 -0700 (PDT)
Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from <owner-namedroppers@ops.ietf.org>) id 1KR7on-0004U7-Q0 for namedroppers-data@psg.com; Thu, 07 Aug 2008 15:54:25 +0000
Received: from [2001:4f8:3:bb:230:48ff:fe5a:2f38] (helo=nsa.vix.com) by psg.com with esmtps (TLSv1:CAMELLIA256-SHA:256) (Exim 4.69 (FreeBSD)) (envelope-from <vixie@vix.com>) id 1KR7oi-0004Sw-QU for namedroppers@ops.ietf.org; Thu, 07 Aug 2008 15:54:23 +0000
Received: from nsa.vix.com (localhost [127.0.0.1]) by nsa.vix.com (Postfix) with ESMTP id 5B441A66AC; Thu, 7 Aug 2008 15:54:17 +0000 (UTC) (envelope-from vixie@nsa.vix.com)
From: Paul Vixie <vixie@isc.org>
To: Duane <duane@e164.org>
cc: bert hubert <bert.hubert@netherlabs.nl>, Namedroppers <namedroppers@ops.ietf.org>
In-Reply-To: Your message of "Fri, 08 Aug 2008 00:43:10 +1000." <489B09FE.8050701@e164.org>
References: <489AD5E3.20708@nlnetlabs.nl> <20080807134236.GA19024@outpost.ds9a.nl> <489B09FE.8050701@e164.org>
X-Mailer: MH-E 8.0.3; nil; GNU Emacs 22.2.1
Date: Thu, 07 Aug 2008 15:54:17 +0000
Message-ID: <49451.1218124457@nsa.vix.com>
MIME-Version: 1.0
X-Vix-MailScanner-Information: Please contact the ISP for more information
X-MailScanner-ID: 5B441A66AC.5D32A
X-Vix-MailScanner: Found to be clean
X-Vix-MailScanner-From: vixie@vix.com
Subject: Re: OFFTOPIC: DNSSEC groupthink versus improving DNS
Sender: owner-namedroppers@ops.ietf.org
Precedence: bulk
List-ID: <namedroppers.ops.ietf.org>
> From: Duane <duane@e164.org> > > bert hubert wrote: > > Or 79 page presentations called "DNSSEC in six minutes" - giving people 4.6 > > seconds per page. It is just not real. > > http://www.isc.org/sw/bind/docs/DNSSEC_in_6_minutes.pdf > > I've seen this document in the past and it actually turned me and others > completely off the idea of DNSSEC, ... you are both missing the point of that document. it's not a six minute presentation. but after you sit through that presentation, you can get dnssec running in six minutes. (we've measured.) which is not to say that dnssec is easy -- i know that at ISC we're thinking seriously of dedicating the whole BIND 9.7 release to dnssec tools and usability. > ... which in part was what led to me playing with encryption funnily > enough, because it seems to me most are promoting 30 day TTLs on the > sigs, which means 30 days of replay attacks potentially, not to mention > the whole re-signing every 30 days. you can use whatever TTL you want. but more importantly, are you saying we should discard a protocol because of the quality of early implementations especially in terms of usability? because if that were true i'm pretty sure TCP/IP should have been shot dead back in 1985 or so. likewise X11, BSD, Linux, Windows, and MAC/OS. > Who ever thought that does not live in the real world, people > administering servers with X.509 certs that expire yearly is bad enough, > but every 30 days or less??? > > That alone is going to be a show stopped for most if not all admins with > too many things to do and not enough time to do everything. duane, i understand why bert's a dnssec denier. but i urge you to study the historical debates and the threat models document and think carefully before you climb on that bandwagon. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: <http://ops.ietf.org/lists/namedroppers/>
- Re: Additional filtering of responses Tony Finch
- Additional filtering of responses Wouter Wijngaards
- OFFTOPIC: DNSSEC groupthink versus improving DNS bert hubert
- Re: OFFTOPIC: DNSSEC groupthink versus improving … Duane
- Re: Additional filtering of responses Paul Vixie
- Re: OFFTOPIC: DNSSEC groupthink versus improving … Paul Vixie
- Re: OFFTOPIC: DNSSEC groupthink versus improving … Paul Vixie
- RE: OFFTOPIC: DNSSEC groupthink versus improving … Jesper G. Høy
- Re: Additional filtering of responses Roy Arends
- Re: Additional filtering of responses Paul Vixie
- Forgery resilience idea - wildcard cooperative de… Brian Dickson
- Re: Forgery resilience idea - wildcard cooperativ… Paul Vixie
- Re: Additional filtering of responses Roy Arends
- Re: Forgery resilience idea - wildcard cooperativ… bert hubert
- Re: Forgery resilience idea - wildcard cooperativ… Brian Dickson
- Re: Additional filtering of responses Edward Lewis
- Re: OFFTOPIC: DNSSEC groupthink versus improving … Olaf Kolkman
- Re: Additional filtering of responses Tony Finch
- Re: OFFTOPIC: DNSSEC groupthink versus improving … David Conrad
- Re: OFFTOPIC: DNSSEC groupthink versus improving … bert hubert
- Re: Additional filtering of responses Edward Lewis
- Re: OFFTOPIC: DNSSEC groupthink versus improving … Federico Lucifredi
- Re: Additional filtering of responses Paul Vixie
- Re: OFFTOPIC: DNSSEC groupthink versus improving … Duane
- Re: OFFTOPIC: DNSSEC groupthink versus improving … Mark Andrews
- Re: OFFTOPIC: DNSSEC groupthink versus improving … Duane
- Re: OFFTOPIC: DNSSEC groupthink versus improving … Duane
- Re: OFFTOPIC: DNSSEC groupthink versus improving … Paul Vixie
- Re: OFFTOPIC: DNSSEC groupthink versus improving … Paul Vixie
- Re: OFFTOPIC: DNSSEC groupthink versus improving … Mark Andrews
- Re: Additional filtering of responses Mark Andrews
- Re: OFFTOPIC: DNSSEC groupthink versus improving … Mark Andrews
- Re: OFFTOPIC: DNSSEC groupthink versus improving … Duane
- Re: OFFTOPIC: DNSSEC groupthink versus improving … Duane
- Re: OFFTOPIC: DNSSEC groupthink versus improving … Duane
- Re: OFFTOPIC: DNSSEC groupthink versus improving … Mark Andrews
- Re: OFFTOPIC: DNSSEC groupthink versus improving … Duane
- Re: OFFTOPIC: DNSSEC groupthink versus improving … Mark Andrews
- Re: OFFTOPIC: DNSSEC groupthink versus improving … Duane
- Re: OFFTOPIC: DNSSEC groupthink versus improving … Mark Andrews
- Re: OFFTOPIC: DNSSEC groupthink versus improving … Duane
- Re: OFFTOPIC: DNSSEC groupthink versus improving … Brian Dickson
- Re: OFFTOPIC: DNSSEC groupthink versus improving … Mark Andrews
- Re: OFFTOPIC: DNSSEC groupthink versus improving … Duane
- Re: OFFTOPIC: DNSSEC groupthink versus improving … Duane
- Re: OFFTOPIC: DNSSEC groupthink versus improving … Brian Dickson
- Re: Additional filtering of responses Masataka Ohta
- Re: OFFTOPIC: DNSSEC groupthink versus improving … Duane
- Re: Additional filtering of responses Masataka Ohta
- Re: Additional filtering of responses Roy Arends
- Re: OFFTOPIC: DNSSEC groupthink versus improving … Ralf Weber
- Re: Additional filtering of responses Masataka Ohta
- Re: OFFTOPIC: DNSSEC groupthink versus improving … Duane at e164 dot org
- Re: Additional filtering of responses Duane at e164 dot org
- Re: OFFTOPIC: DNSSEC groupthink versus improving … Ralf Weber
- Re: OFFTOPIC: DNSSEC groupthink versus improving … Alex Bligh
- Re: OFFTOPIC: DNSSEC groupthink versus improving … Duane at e164 dot org
- Re: OFFTOPIC: DNSSEC groupthink versus improving … Duane at e164 dot org
- Re: OFFTOPIC: DNSSEC groupthink versus improving … sthaug
- Re: OFFTOPIC: DNSSEC groupthink versus improving … bert hubert
- Re: OFFTOPIC: DNSSEC groupthink versus improving … Duane at e164 dot org
- Re: Additional filtering of responses Peter Koch
- Re: OFFTOPIC: DNSSEC groupthink versus improving … Duane at e164 dot org
- Please stop this thread (was: OFFTOPIC: DNSSEC gr… Andrew Sullivan
- Re: OFFTOPIC: DNSSEC groupthink versus improving … Otmar Lendl
- Re: Please stop this thread (was: OFFTOPIC: DNSSE… Matt Larson
- Re: Please stop this thread (was: OFFTOPIC: DNSSE… David Conrad
- Re: OFFTOPIC: DNSSEC groupthink versus improving … Ben Laurie
- how many angels can dance on the head of a pin? bmanning
- Re: how many angels can dance on the head of a pi… Duane at e164 dot org
- Re: how many angels can dance on the head of a pi… Alex Bligh
- Re: how many angels can dance on the head of a pi… Duane at e164 dot org
- Re: OFFTOPIC: DNSSEC groupthink versus improving … Florian Weimer
- Re: how many angels can dance on the head of a pi… Alex Bligh
- Re: how many angels can dance on the head of a pi… Alex Bligh
- Re: how many angels can dance on the head of a pi… sthaug
- Re: how many angels can dance on the head of a pi… Ben Laurie
- Re: how many angels can dance on the head of a pi… Alex Bligh
- Re: how many angels can dance on the head of a pi… Ben Laurie
- Re: how many angels can dance on the head of a pi… Paul Vixie
- Re: how many angels can dance on the head of a pi… Paul Hoffman
- Re: how many angels can dance on the head of a pi… bmanning
- Re: OFFTOPIC: DNSSEC groupthink versus improving … Havard Eidnes
- Re: OFFTOPIC: DNSSEC groupthink versus improving … Mark Andrews
- DNSSEC on autopilot (was: OFFTOPIC: DNSSEC groupt… Otmar Lendl
- Re: DNSSEC on autopilot (was: OFFTOPIC: DNSSEC gr… Andrew Sullivan
- Re: DNSSEC on autopilot (was: OFFTOPIC: DNSSEC gr… Otmar Lendl
- Re: DNSSEC on autopilot (was: OFFTOPIC: DNSSEC gr… Mark Andrews
- Re: DNSSEC on autopilot (was: OFFTOPIC: DNSSEC gr… Andrew Sullivan