IETF Logo Mail Archive

Re: [dnsext] we need help to make names the same, was draft-yao-dnsext-identical-resolution-02 comment

Nicholas Weaver <nweaver@ICSI.Berkeley.EDU> Thu, 24 February 2011 13:36 UTC

Return-Path: <dnsext-bounces@ietf.org>
X-Original-To: namedroppers-archive-gleetwall6@lists.ietf.org
Delivered-To: ietfarch-namedroppers-archive-gleetwall6@core3.amsl.com
Received: from [127.0.0.1] (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 323D73A6B20; Thu, 24 Feb 2011 05:36:17 -0800 (PST)
X-Original-To: dnsext@core3.amsl.com
Delivered-To: dnsext@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 2F8C03A6B20 for <dnsext@core3.amsl.com>; Thu, 24 Feb 2011 05:36:16 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uhZFKVSDGRDw for <dnsext@core3.amsl.com>; Thu, 24 Feb 2011 05:36:15 -0800 (PST)
Received: from taffy.ICSI.Berkeley.EDU (taffy.ICSI.Berkeley.EDU [192.150.187.26]) by core3.amsl.com (Postfix) with ESMTP id 31F723A6B1C for <dnsext@ietf.org>; Thu, 24 Feb 2011 05:36:15 -0800 (PST)
Received: from albook.hsd1.ca.comcast.net (c-67-164-126-174.hsd1.ca.comcast.net [67.164.126.174]) (Authenticated sender: nweaver) by taffy.ICSI.Berkeley.EDU (Postfix) with ESMTP id 0064436A58B; Thu, 24 Feb 2011 05:37:01 -0800 (PST)
Mime-Version: 1.0 (Apple Message framework v1082)
From: Nicholas Weaver <nweaver@ICSI.Berkeley.EDU>
In-Reply-To: <AANLkTikZYBYyRKkZzMCuCJbVpqLx-2BBYW3TSMQ8ZL81@mail.gmail.com>
Date: Thu, 24 Feb 2011 05:37:02 -0800
Message-Id: <8657EF4A-A08D-46E5-8917-553AE377CAD8@ICSI.Berkeley.EDU>
References: <20110216165921.GW96213@shinkuro.com> <3B90ED2E-980D-4B01-889F-447D66D0B58D@insensate.co.uk> <20110216174011.GZ96213@shinkuro.com> <20110218143653.GC84482@bikeshed.isc.org> <20110218151209.GF66684@shinkuro.com> <4D5EEE09.4080405@dougbarton.us> <20110218222950.GL74065@shinkuro.com> <4D5F270F.20401@abenaki.wabanaki.net> <199C7B2B4228461FB024E59A990DB46D@ics.forth.gr> <4D641DB6.4090705@necom830.hpcl.titech.ac.jp> <20110222205617.GS53815@shinkuro.com> <4D64489B.7020901@necom830.hpcl.titech.ac.jp> <713D992A-1DB9-4F72-9D18-8E923AD51D8D@icsi.berkeley.edu> <AANLkTikf2ixw7JkxQiRBobv-seYnaYS0E3G8TboosnA=@mail.gmail.com> <alpine.LSU.2.00.1102231029260.27602@hermes-1.csi.cam.ac.uk> <AANLkTin6-mXBeKC_TzgvWUaCyxKfeZxTK1BQvXtpwuCN@mail.gmail.com> <4CC95816-8225-4CAE-897F-3F13F965BCEE@ICSI.Berkeley.EDU> <alpine.LSU.2.00.1102240953550.5244@hermes-1.csi.cam.ac.uk> <AANLkTiniVDDZXFOV4WryNN=+hK29rBO8_HTAqw7bK=Nf@mail.gmail.com> <alpine.LSU.2.00.1102241248230.27602@hermes-1.csi.cam.ac .uk> <AANLkTikZYBYyRKkZzMCuCJbVpqLx-2BBYW3TSMQ8ZL81@mail.gmail.com>
To: Phillip Hallam-Baker <hallam@gmail.com>
X-Mailer: Apple Mail (2.1082)
Cc: Nicholas Weaver <nweaver@ICSI.Berkeley.EDU>, dnsext@ietf.org
Subject: Re: [dnsext] we need help to make names the same, was draft-yao-dnsext-identical-resolution-02 comment
X-BeenThere: dnsext@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: DNS Extensions working group discussion list <dnsext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsext>
List-Post: <mailto:dnsext@ietf.org>
List-Help: <mailto:dnsext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: dnsext-bounces@ietf.org
Errors-To: dnsext-bounces@ietf.org

On Feb 24, 2011, at 5:17 AM, Phillip Hallam-Baker wrote:

> 
> 
> On Thu, Feb 24, 2011 at 7:52 AM, Tony Finch <dot@dotat.at> wrote:
> On Thu, 24 Feb 2011, Phillip Hallam-Baker wrote:
> >
> > Why would I need a time machine? You still don't have anyone actually using
> > DNSSEC for production?
> 
> Speak for yourself. We're using it in cam.ac.uk and so are our friends at
> ic.ac.uk. Large amounts of cz is signed.
> 
> Generating signatures is one thing.
> 
> You don't have a deployment until you have people verifying the signatures and the results affect their behavior.

All Comcast customers who've opted out of the NXDOMAIN wildcarding are behind resolvers that validate DNSSEC.


nweaver% dig www.dnssec-failed.org

; <<>> DiG 9.6.0-APPLE-P2 <<>> www.dnssec-failed.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 36205
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;www.dnssec-failed.org.         IN      A

;; Query time: 47 msec
;; SERVER: 192.168.1.1#53(192.168.1.1)
;; WHEN: Thu Feb 24 05:35:42 2011
;; MSG SIZE  rcvd: 39


nweaver% dig +cd www.dnssec-failed.org

; <<>> DiG 9.6.0-APPLE-P2 <<>> +cd www.dnssec-failed.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1844
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;www.dnssec-failed.org.         IN      A

;; ANSWER SECTION:
www.dnssec-failed.org.  7200    IN      A       68.87.64.48

;; Query time: 15 msec
;; SERVER: 192.168.1.1#53(192.168.1.1)
;; WHEN: Thu Feb 24 05:35:48 2011
;; MSG SIZE  rcvd: 55

_______________________________________________
dnsext mailing list
dnsext@ietf.org
https://www.ietf.org/mailman/listinfo/dnsext

v2.23.0 | Report a Bug | By Email