Re: [DNSOP] Fwd: New Version Notification for draft-pan-dnsop-swild-rr-type-00.txt
Davey Song <songlinjian@gmail.com> Wed, 16 August 2017 09:35 UTC
Return-Path: <songlinjian@gmail.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B77C4132025 for <dnsop@ietfa.amsl.com>; Wed, 16 Aug 2017 02:35:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.699
X-Spam-Level:
X-Spam-Status: No, score=-2.699 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mqLovmbX-M3u for <dnsop@ietfa.amsl.com>; Wed, 16 Aug 2017 02:35:28 -0700 (PDT)
Received: from mail-vk0-x231.google.com (mail-vk0-x231.google.com [IPv6:2607:f8b0:400c:c05::231]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 55EAD1200B9 for <dnsop@ietf.org>; Wed, 16 Aug 2017 02:35:28 -0700 (PDT)
Received: by mail-vk0-x231.google.com with SMTP id d124so10378590vkf.2 for <dnsop@ietf.org>; Wed, 16 Aug 2017 02:35:28 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=xgQJyD4dsFpHYZI5Jl9J25PwLf8JpETLccejI0gRPfE=; b=DcU8RDbzwtvqvfnVRToGesalqoEh5ZDe2nE3dFh+JCFJF62p7y9pTdRKcjaZ6qPG1J AgnLRL8ead/hvJLOUvKvd8oTS5g0bO4u5omDvzCYULja2/Ha02aKKYvrfL0fh60jV6SJ KLa24WzjByRjMuxqn6JnYGoJkfGnzOEILLOUYJG7+J7Uyho+AjQfFZjh+E1SYfbQ2qWF xwx7k9x7xg7tNhwdmezdypp9BqLmG+vUzqieIOncqDHihjWoiwHhX5j2xtjsnCmnhHXl Ao7pd2jEtXMdEAJOOSCtvi1cw3sSfnf8eLRtAIo4bO/Ez9jxhMofuYkzR4cxnqPJrQKL JW4g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=xgQJyD4dsFpHYZI5Jl9J25PwLf8JpETLccejI0gRPfE=; b=fia+WwezQSfLL5QujAho5kksIAioBRfpjZjO9ChXZTCrFPLeI0HxvbCeKTqkoOse06 bQnsT7j6VgePGXD8pbKKrQDNt0/CqqkQF3DWJZnCmSHj5W5uVk5Lx7bJbDpArukoJtW4 lNpttEhJIwNJ/aIVCVyKC6Nhq31ECkZiNZwRPWvy3gh3BV4ADX1XmE92FXjFrBkHw8UT NWh0NBcrulI1ltztydMswAz5MOWsz3SsZ75SbUbANndP7o8xjKtRBE7kC9KmNEESzSer Wm2rPLUexaxDKkCjUapgi+7JZxvXxhIzq0CdLh+7W5PVy6L1zsqgKMKH2shBfm850YnJ PbGA==
X-Gm-Message-State: AHYfb5jRuQZOiQYVDQd7rPMTB/H49/Owpxz6njW4+cdB+sHPo/Ijc6lr oxduvIcBMD9PO1v9yNJnh3UI8uHqLw==
X-Received: by 10.31.226.1 with SMTP id z1mr666779vkg.65.1502876127470; Wed, 16 Aug 2017 02:35:27 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.176.28.76 with HTTP; Wed, 16 Aug 2017 02:35:26 -0700 (PDT)
In-Reply-To: <20170816064855.GB16977@jurassic>
References: <149908054910.760.8140876567010458934.idtracker@ietfa.amsl.com> <CANLjSvU23OPMM=cETxBiV7j8UhMzMd426VuivxAtboMAB0=7jw@mail.gmail.com> <alpine.DEB.2.11.1707031317070.21595@grey.csi.cam.ac.uk> <CANLjSvXE4q9PSEc4txKM4OPKXVpT38N_PC2-fDHmihpk29ahcw@mail.gmail.com> <1197245d-6b9a-3c3b-82a0-dc6a1cc3de58@nic.cz> <CANLjSvVe99q4vtTW0TRopmQ0s9hC8HdMze5B6COs8Y_3unir5w@mail.gmail.com> <CAAiTEH8ntOerB6MGKMS2xcCK3TL9n4fyLq6F+bpUY6oTUpWN8w@mail.gmail.com> <20170816054539.GA12897@jurassic> <alpine.DEB.2.20.1708160816580.3655@uplift.swm.pp.se> <20170816064855.GB16977@jurassic>
From: Davey Song <songlinjian@gmail.com>
Date: Wed, 16 Aug 2017 17:35:26 +0800
Message-ID: <CAAObRXLtDgor10j9jH6Nq0Bynhe4xJXa2KPsuX6xVhGmTKg2dw@mail.gmail.com>
To: Mukund Sivaraman <muks@isc.org>
Cc: Mikael Abrahamsson <swmike@swm.pp.se>, dnsop <dnsop@ietf.org>
Content-Type: multipart/alternative; boundary="001a114e020cb82bb10556db9d3b"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/FYMbvHw7JfV4FKNPeDijj6hEOYw>
Subject: Re: [DNSOP] Fwd: New Version Notification for draft-pan-dnsop-swild-rr-type-00.txt
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 16 Aug 2017 09:35:31 -0000
Accroding to your description, I feel that IPv6 has better chance to win than its "brother" DNSSEC. LoL On 16 August 2017 at 14:48, Mukund Sivaraman <muks@isc.org> wrote: > On Wed, Aug 16, 2017 at 08:21:37AM +0200, Mikael Abrahamsson wrote: > > On Wed, 16 Aug 2017, Mukund Sivaraman wrote: > > > > > 24 / 500 top domains (4.8%) > > > 20548 / 1 million top domains (2.05%) > > > > > > (12 years after introduction of 403{3,4,5}) > > > > https://stats.labs.apnic.net/dnssec/XE?o=cXAw1x1g1r1 > > > > 20% of European users is behind a validating resolver, in some countries > > it's 70% plus. > > > > So this is now happening, albeit at a not high enough pace. But at least > > it's going in the right direction, and I do believe that there is enough > > people behind validating resolvers that people can't mess up signing > their > > zone and push away blame on who needs to fix things. > > > > So at least there is benefit in signing your zone now, there wasn't as > much > > before when nobody was validating. > > The validating resolver is half of the system. > > DNSSEC is brittle. It has an all-or-nothing behavior (that's what it was > designed for) that many businesses cannot afford to bank on if something > were to go wrong. An administrative error or signer software bug on the > authoritative side can take the whole zone down and every service with > it (as DNS is at the head of network activity). Software is still not > perfect, so I don't know how this can change - I see practical signer > bugs still that take down the zone entirely. It's also still painfully > inconvenient to update parent zones, that makes fixing mishaps > difficult. The amount of damage that a break in DNSSEC validation chain > could do is far greater than other implementations of crypto such as TLS > where it is limited to a service. > > (Note that I'm not advocating against DNSSEC, as much as this email may > sound so. The things I mention are practical issues that I see as an > implementor.) > > A colleague says "If TLD’s allowed UPDATE messages to be processed most > of the issues with DNSSEC would go away. At the moment we have a whole > series of kludges because people are scared of signed update messages." > > Mukund > > _______________________________________________ > DNSOP mailing list > DNSOP@ietf.org > https://www.ietf.org/mailman/listinfo/dnsop >
- [DNSOP] Fwd: New Version Notification for draft-p… Lanlan Pan
- Re: [DNSOP] Fwd: New Version Notification for dra… Tony Finch
- Re: [DNSOP] Fwd: New Version Notification for dra… Lanlan Pan
- Re: [DNSOP] Fwd: New Version Notification for dra… Petr Špaček
- Re: [DNSOP] Fwd: New Version Notification for dra… Lanlan Pan
- Re: [DNSOP] Fwd: New Version Notification for dra… Matthew Pounsett
- Re: [DNSOP] New Version Notification for draft-pa… Paul Hoffman
- Re: [DNSOP] Fwd: New Version Notification for dra… Richard Gibson
- Re: [DNSOP] Fwd: New Version Notification for dra… Lanlan Pan
- Re: [DNSOP] Fwd: New Version Notification for dra… Paul Vixie
- Re: [DNSOP] Fwd: New Version Notification for dra… Matthew Pounsett
- Re: [DNSOP] Fwd: New Version Notification for dra… Dave Crocker
- Re: [DNSOP] New Version Notification for draft-pa… Peter van Dijk
- Re: [DNSOP] New Version Notification for draft-pa… Matthew Pounsett
- Re: [DNSOP] Fwd: New Version Notification for dra… Lanlan Pan
- Re: [DNSOP] Fwd: New Version Notification for dra… Lanlan Pan
- Re: [DNSOP] Fwd: New Version Notification for dra… Paul Vixie
- Re: [DNSOP] Fwd: New Version Notification for dra… Mark Andrews
- Re: [DNSOP] Fwd: New Version Notification for dra… Lanlan Pan
- Re: [DNSOP] Fwd: New Version Notification for dra… Mark Andrews
- Re: [DNSOP] Fwd: New Version Notification for dra… Lanlan Pan
- Re: [DNSOP] Fwd: New Version Notification for dra… Vernon Schryver
- Re: [DNSOP] Fwd: New Version Notification for dra… Lanlan Pan
- Re: [DNSOP] Fwd: New Version Notification for dra… Vernon Schryver
- Re: [DNSOP] Fwd: New Version Notification for dra… Ted Lemon
- Re: [DNSOP] Fwd: New Version Notification for dra… Lanlan Pan
- Re: [DNSOP] Fwd: New Version Notification for dra… Mukund Sivaraman
- Re: [DNSOP] Fwd: New Version Notification for dra… Mikael Abrahamsson
- Re: [DNSOP] Fwd: New Version Notification for dra… Paul Vixie
- Re: [DNSOP] Fwd: New Version Notification for dra… Mukund Sivaraman
- Re: [DNSOP] Fwd: New Version Notification for dra… Mukund Sivaraman
- Re: [DNSOP] Fwd: New Version Notification for dra… Mikael Abrahamsson
- Re: [DNSOP] Fwd: New Version Notification for dra… Mukund Sivaraman
- Re: [DNSOP] Fwd: New Version Notification for dra… Paul Vixie
- Re: [DNSOP] Fwd: New Version Notification for dra… Lanlan Pan
- Re: [DNSOP] Fwd: New Version Notification for dra… Paul Vixie
- Re: [DNSOP] Fwd: New Version Notification for dra… Paul Vixie
- Re: [DNSOP] Fwd: New Version Notification for dra… Mark Andrews
- Re: [DNSOP] Fwd: New Version Notification for dra… Davey Song
- Re: [DNSOP] Fwd: New Version Notification for dra… Lanlan Pan
- Re: [DNSOP] New Version Notification for draft-pa… Ralf Weber
- Re: [DNSOP] New Version Notification for draft-pa… Lanlan Pan
- Re: [DNSOP] Fwd: New Version Notification for dra… Davey Song
- Re: [DNSOP] Fwd: New Version Notification for dra… Mikael Abrahamsson
- Re: [DNSOP] Fwd: New Version Notification for dra… Ted Lemon
- Re: [DNSOP] Fwd: New Version Notification for dra… Vernon Schryver
- Re: [DNSOP] Fwd: New Version Notification for dra… Paul Vixie
- Re: [DNSOP] Fwd: New Version Notification for dra… Paul Vixie
- Re: [DNSOP] Fwd: New Version Notification for dra… Vernon Schryver
- Re: [DNSOP] fragile dnssec, was Fwd: New Version John Levine
- Re: [DNSOP] Fwd: New Version Notification for dra… Paul Vixie
- Re: [DNSOP] Fwd: New Version Notification for dra… Vernon Schryver
- Re: [DNSOP] fragile dnssec, was Fwd: New Version Mark Andrews
- Re: [DNSOP] Fwd: New Version Notification for dra… Lanlan Pan
- Re: [DNSOP] fragile dnssec, was Fwd: New Version Petr Špaček
- Re: [DNSOP] Fwd: New Version Notification for dra… Paul Vixie
- Re: [DNSOP] fragile dnssec, was Fwd: New Version Matthew Pounsett
- Re: [DNSOP] fragile dnssec, was Fwd: New Version John R Levine
- Re: [DNSOP] New Version Notification for draft-pa… Ted Lemon
- Re: [DNSOP] fragile dnssec, was Fwd: New Version John R Levine
- Re: [DNSOP] New Version Notification for draft-pa… Ralf Weber
- Re: [DNSOP] fragile dnssec, was Fwd: New Version Mark Andrews
- Re: [DNSOP] fragile dnssec, was Fwd: New Version John R Levine
- Re: [DNSOP] fragile dnssec, was Fwd: New Version Mark Andrews
- Re: [DNSOP] updating fragile dnssec, was Fwd: New… John R Levine
- Re: [DNSOP] updating fragile dnssec, was Fwd: New… Patrik Fältström
- Re: [DNSOP] New Version Notification for draft-pa… Lanlan Pan
- Re: [DNSOP] New Version Notification for draft-pa… Lanlan Pan
- Re: [DNSOP] New Version Notification for draft-pa… Ted Lemon
- Re: [DNSOP] fragile dnssec, was Fwd: New Version John Levine
- Re: [DNSOP] New Version Notification for draft-pa… Warren Kumari
- Re: [DNSOP] New Version Notification for draft-pa… Lanlan Pan
- Re: [DNSOP] fragile dnssec, was Fwd: New Version Petr Špaček
- Re: [DNSOP] fragile dnssec, was Fwd: New Version A. Schulze