Re: [DNSOP] DNSng-ish (was Re: key lengths for DNSSEC)
Phillip Hallam-Baker <hallam@gmail.com> Thu, 03 April 2014 01:07 UTC
Return-Path: <hallam@gmail.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 90BC01A0436 for <dnsop@ietfa.amsl.com>; Wed, 2 Apr 2014 18:07:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Wn_CFAwJpMQ9 for <dnsop@ietfa.amsl.com>; Wed, 2 Apr 2014 18:07:12 -0700 (PDT)
Received: from mail-lb0-x233.google.com (mail-lb0-x233.google.com [IPv6:2a00:1450:4010:c04::233]) by ietfa.amsl.com (Postfix) with ESMTP id 572091A001C for <dnsop@ietf.org>; Wed, 2 Apr 2014 18:07:12 -0700 (PDT)
Received: by mail-lb0-f179.google.com with SMTP id p9so798288lbv.10 for <dnsop@ietf.org>; Wed, 02 Apr 2014 18:07:07 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=+ElMWzE83YU3O91tLd1y6bLo8wZCB8YyZpWibdgRcK0=; b=z/8AEE3UrmLoL2kXLr/Vh6Wl81+ZgpDYgVd09pQWR+58PYAYGHUOiikxmW5kJ/6Emd gbslA5Dbk6AHts78MF8zqA1VBchnibbJVkUh0yHMt45w4qieRelvnEsP7taaF4zdw3JT cpw765sEZtHQhZU+EIOMPAMEKWQC6NjqmmYo5Sq+537RYdLDtXcvDMkaskumKV6FESiY ESynEE4B1EiYJcFAd3s33YTy99U8KUcAfyhSprTKEaZdTtim6nE/amng3/G0M07tUgxm W0aPX7429dPhXG/ysj1ARRkKKvz+8rSv6jyOcf+Ww54xr+c2hASe6rxRbY6DXHEdFcb6 jl1w==
MIME-Version: 1.0
X-Received: by 10.152.36.73 with SMTP id o9mr2116277laj.30.1396487227559; Wed, 02 Apr 2014 18:07:07 -0700 (PDT)
Received: by 10.112.234.229 with HTTP; Wed, 2 Apr 2014 18:07:07 -0700 (PDT)
In-Reply-To: <20140402233105.GD56668@mx1.yitter.info>
References: <78F386B0-BC6B-4159-B9D4-4BFEB10252A6@rfc1035.com> <1D0A45EF-E5D3-468D-BA08-E45FEF4399DE@dnss.ec> <CAMm+LwgNoNhg7wSO+wqCGujBSfC4Fu3cwMPu2nTmkdvDwAD5Mw@mail.gmail.com> <20140402233105.GD56668@mx1.yitter.info>
Date: Wed, 02 Apr 2014 21:07:07 -0400
Message-ID: <CAMm+Lwh9G7VR1W4Qgi+qT4GCZKzC7qarHkaffVGETj1vfjheDg@mail.gmail.com>
From: Phillip Hallam-Baker <hallam@gmail.com>
To: Andrew Sullivan <ajs@anvilwalrusden.com>
Content-Type: multipart/alternative; boundary="089e0160adf821d80f04f6190512"
Archived-At: http://mailarchive.ietf.org/arch/msg/dnsop/gOQi5yqpFETOIMIaCFG_4Bc068A
Cc: "dnsop@ietf.org" <dnsop@ietf.org>
Subject: Re: [DNSOP] DNSng-ish (was Re: key lengths for DNSSEC)
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 03 Apr 2014 01:07:17 -0000
On Wed, Apr 2, 2014 at 7:31 PM, Andrew Sullivan <ajs@anvilwalrusden.com>wrote: > On Wed, Apr 02, 2014 at 07:21:11PM -0400, Phillip Hallam-Baker wrote: > > > Which is why I have been pushing the notion that if we are going to do > DNSE > > then part of the DNSE solution should be to get us out of the single > > response packet straightjacket. > > I've seen what you've had to say on that, and what I just don't > understand yet is how that answer is deployable. That is, how is what > you are suggesting there (and in your other discussions of this topic) > not "replace DNS"? Or, if it is, why don't we just do a new protocol > completely? We could fix the internationalization issues. We could > ditch UDP and in a single blow eliminate a major source of DDoS on the > Internet. And so on. > > The only problem is getting everyone to upgrade. No? > There are three different parts of the protocol 1) Client -> Resolver 2) Resolver -> Authoritative 3) The DNS data model Changing 1 is the easiest and also the part that is most in need. We need to find a way round all the crud that is making port 53 pretty much unusable. The privacy concerns are the most restrictive, etc. Changing 2 is a little harder but changes to BIND etc will eventually percolate through. Changing 3 is a ten year program at least and is not feasible unless 1 and 2 are addressed first. -- Website: http://hallambaker.com/
- Re: [DNSOP] key lengths for DNSSEC Phillip Hallam-Baker
- [DNSOP] key lengths for DNSSEC Jim Reid
- Re: [DNSOP] key lengths for DNSSEC Ted Lemon
- Re: [DNSOP] key lengths for DNSSEC Joe Abley
- [DNSOP] DNSng-ish (was Re: key lengths for DNSSEC) Andrew Sullivan
- Re: [DNSOP] key lengths for DNSSEC đź”’ Roy Arends
- Re: [DNSOP] key lengths for DNSSEC Phil Regnauld
- Re: [DNSOP] key lengths for DNSSEC Christopher Morrow
- Re: [DNSOP] key lengths for DNSSEC Christopher Morrow
- Re: [DNSOP] key lengths for DNSSEC Ted Lemon
- Re: [DNSOP] key lengths for DNSSEC Evan Hunt
- Re: [DNSOP] key lengths for DNSSEC Nicholas Weaver
- Re: [DNSOP] key lengths for DNSSEC Frederico A C Neves
- Re: [DNSOP] key lengths for DNSSEC Richard Lamb
- Re: [DNSOP] DNSng-ish (was Re: key lengths for DN… Phillip Hallam-Baker
- Re: [DNSOP] DNSng-ish (was Re: key lengths for DN… Andrew Sullivan
- Re: [DNSOP] DNSng-ish (was Re: key lengths for DN… Phillip Hallam-Baker
- Re: [DNSOP] DNSng-ish (was Re: key lengths for DN… Phillip Hallam-Baker
- Re: [DNSOP] key lengths for DNSSEC Tony Finch
- Re: [DNSOP] key lengths for DNSSEC Tony Finch
- [DNSOP] Signaling Cryptographic Algorithm Underst… Steve Crocker