[dnsop] some comments on draft-krishnaswamy-dnsop-dnssec-split-view-02
Andrew Sullivan <andrew@ca.afilias.info> Tue, 11 July 2006 08:51 UTC
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1G0Dxk-0008I3-A6 for dnsop-archive@lists.ietf.org; Tue, 11 Jul 2006 04:51:24 -0400
Received: from mailapps.uoregon.edu ([128.223.142.45]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1G0Dxi-0005kB-TR for dnsop-archive@lists.ietf.org; Tue, 11 Jul 2006 04:51:24 -0400
Received: from mailapps.uoregon.edu (IDENT:U2FsdGVkX19VgkCe6865WRFEUXU7eGGTlv5Eet5tbi4@localhost [127.0.0.1]) by mailapps.uoregon.edu (8.13.7/8.13.7) with ESMTP id k6B86JRs023444; Tue, 11 Jul 2006 01:06:19 -0700
Received: (from majordom@localhost) by mailapps.uoregon.edu (8.13.7/8.13.7/Submit) id k6B86J4Z023442; Tue, 11 Jul 2006 01:06:19 -0700
Received: from mail.libertyrms.com (vgateway.libertyrms.info [207.219.45.62]) by mailapps.uoregon.edu (8.13.7/8.13.7) with ESMTP id k6B86Hco023427 for <dnsop@lists.uoregon.edu>; Tue, 11 Jul 2006 01:06:18 -0700
Received: from dba3.int.libertyrms.com ([10.1.3.12] helo=dba3.int.libertyrms.info ident=postfix) by mail.libertyrms.com with esmtp (Exim 4.22) id 1G0DFz-0000J1-GL for dnsop@lists.uoregon.edu; Tue, 11 Jul 2006 04:06:11 -0400
Received: by dba3.int.libertyrms.info (ca.afilias.info, from userid 1019) id A5CF913744; Tue, 11 Jul 2006 04:05:54 -0400 (EDT)
Date: Tue, 11 Jul 2006 04:05:54 -0400
From: Andrew Sullivan <andrew@ca.afilias.info>
To: dnsop@lists.uoregon.edu
Subject: [dnsop] some comments on draft-krishnaswamy-dnsop-dnssec-split-view-02
Message-ID: <20060711080554.GA4177@dba3>
Reply-To: Andrew Sullivan <andrew@ca.afilias.info>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
User-Agent: Mutt/1.5.9i
X-SA-Exim-Mail-From: andrew@ca.afilias.info
X-SA-Exim-Scanned: No; SAEximRunCond expanded to false
X-Virus-Scanned: ClamAV 0.88.3/1591/Mon Jul 10 12:41:02 2006 on mailapps
X-Virus-Status: Clean
Sender: owner-dnsop@lists.uoregon.edu
Precedence: bulk
X-Spam-Score: 0.5 (/)
X-Scan-Signature: c0bedb65cce30976f0bf60a0a39edea4
Colleagues, In Dallas, I offered to review draft-krishnaswamy-dnsop-dnssec-split-view. I apologise to all of you, and especially to the author, that I am as late as this in my review; some other work interfered, but I do apologise that I should have taken on a task that I then did not complete. In any case, I have read draft-krishnaswamy-dnsop-dnssec-split-view-02.txt. I have some general comments. Ed Lewis already observed that the document entails acceptance of split-view DNS. I know that several people have argued against that in the past, but I think it is, at this stage, windmill-tilting to try to suggest that split-view DNS is just a bad thing. It's here, at least for the forseeable future, and I think it is incumbent upon an operations group to suggest how, if you're going to do something distasteful, to do it correctly. I think this document makes at least a very good start at that. I also applaud the author for what seems to me to be a careful and well-thought-out discussion of the implications of DNSSEC in such an environment. I suspect, however, that the document needs to be broken into a pair, because there are really two items here: how to do split-view DNS and how to do it with DNSSEC. It seems to me that one could support the argument for the former without supporting the argument for the latter (indeed, I can imagine purists holding their noses at the first one, but saying that the second part is simply beyond the pale). I can think of practical reasons not to split them, though, so if the author or others are strongly opposed to that, I won't cleave too strongly to this position. Irrespective of that, I think it would be very helpful to define carefully the terms in section 4's sample rules (perhaps my addled brain has missed these in one of the references, but I didn't spot it). I also think it would be terribly helpful to operators to have a simple(ish) table with pros and cons of the various strategies listed in section 3. This is really just a summary of section 3, but I bet it will be helpful to users. In any case, I think that the document should be a WG item, even if it is split in two. If the WG consensus is that split-view DNS is bad, evil, wrong, and Inquisition-worthy, then obviously the document cannot become a WG item. In that case, I urge the group to rethink the position, because even if we don't like split views, they're a reality. We have an obligation, I think, to offer advice on the best ways to do that which is possible. Best regards, A -- ---- Andrew Sullivan 204-4141 Yonge Street Afilias Canada Toronto, Ontario Canada <andrew@ca.afilias.info> M2P 2A8 +1 416 646 3304 x4110 . dnsop resources:_____________________________________________________ web user interface: http://darkwing.uoregon.edu/~llynch/dnsop.html mhonarc archive: http://darkwing.uoregon.edu/~llynch/dnsop/index.html
- [dnsop] some comments on draft-krishnaswamy-dnsop… Andrew Sullivan