Re: [DNSOP] Review of draft-livingood-dns-redirect-00

[Paul Hoffman <paul.hoffman@vpnc.org>]

At 12:08 AM -0400 7/15/09, Paul Wouters wrote:
>On Mon, 13 Jul 2009, Paul Hoffman wrote:
>
>>>>I think you need to widen that caveat: anything that isn't a web browser
>>>>should not use a DNS server that misbehaves as described in this draft.
>>>
>>>I think you need to widen that caveat: anything should not use a DNS server
>>>that misbehaves as described in this draft.
>>
>>Paul: that's over the top. Some of the services defined in the draft are highly desired by some Internet users. You may not like them, and that's fine. Your statement is akin to, and as useful as, the "NATs are bad so we shouldn't talk about them" debate that flares in the IETF approximately biannually.
>
>There is a huge difference here. With NAT, one is putting some
>inconvenience to the end user and the server administrator that requires
>some clarifications in protocols and some support with detecting it
>and working with it. With manipulating my laptop's DNS asking for MY
>OWN cryptographically signed data, you are asking me to throw out the
>crypto protection and make me accept a downgrade attack.

Then use a different DNS resolver. This document is about how to do one type of resolution, not all types.

>The IETF allowing or endorsing any kind of DNS forging in the age of
>DNSSEC is simply wrong.

This is more hyperbole that does not help the discussion. The IETF is not in the position to "not allow" anything, and it never has been. An Informational RFC is not "endorsing" anything.

If you want to endorse not doing what this proposed Informational RFC describes, write such a document and have it on standards track, or BCP.

--Paul Hoffman, Director
--VPN Consortium