This is a discussion on Re: dns hop by hop transaction security for queries - DNS ; > From: Alex Bligh > > --On 22 July 2008 04:59:48 +0000 Paul Vixie wrote: > > > if there are no configuration knobs, no new error messages, no changes > > to DHCP or /etc/resolv.conf or rendezvous, and no ...
> From: Alex Bligh
> --On 22 July 2008 04:59:48 +0000 Paul Vixie
> > if there are no configuration knobs, no new error messages, no changes
> > to DHCP or /etc/resolv.conf or rendezvous, and no dependencies on the U
> > S Gov't to approve signing something before we can all start using the
> > technology, then it will be extraordinarily easier to deploy than
> > DNSSEC. it's just code and there are no forklifts.
> How much of the perceived problem is lack of signing by USG in your opin?
icann can't make a change of this kind to the root zone without permission
from a lot of people, definitely including its board and USG, probably
including IAB or IESG, and possibly including its SSAC and RSSAC and GAC
and ALAC committees. i don't know that USG is the last remaining approval,
and for that matter i don't know if USG has been asked to approve anything.
> I think there are other options (along the lines of DLV) that would allow
> faster deployment if this was substantially the longest pole in the tent
> and would allow CNOBIN, ccTLDs etc. to sign their zones if they were so
> minded. Clearly this would leave individual users to sign their zones,
> but those being spoofed / phished would have every incentive to get on
> with it.
suck though it may, we have to deploy dnssec. if icann can't sign the root
zone then the TLDs and/or everybody else will have to make other arrangements,
in which roy arends' DLVPTR work could be very important, or in which DLV
could play a transition role. had we been able to bite, chew, and swallow
dnssec, we could just use SIG(0) for stubs, and UDPPORT / QID predictability
would not matter.
i apologize for not making this case clearly enough when we launched DLV. i
think most folks were so concerned about DLV being a power/glory grab that
the merits and justifications and goals just didn't seem to register at all.
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
to unsubscribe send a message to firstname.lastname@example.org with
the word 'unsubscribe' in a single line as the message text body.