On 3/3/2010 6:39 AM, Tony Finch wrote:
On Tue, 2 Mar 2010, Doug Barton wrote:
5. The very large number of misconfigured name servers out there now
argue strongly against considering DNS a "secure" channel.
I think I agree with everything except point 5. The aim of automating this
is to reduce misconfiguration. You are arguing that delegations are
frequently a bit broken, so there's no point doing anything to reduce the
breakage. But we know DNSSEC makes breakage more likely (because of key
rollovers) and can turn minor breakage into serious breakage.
Actually I had a lot more than bad delegations in mind when I wrote
"misconfigured" above, but I dialed back quite a bit. To speak more
plainly, a very large percentage of people who do DNS at the moment do
it badly. I agree with your point that DNSSEC is going to increase both
the complexity and the impact of misconfigurations, which is why I am
leaning in the direction of thinking that adding more bullets to the
foot-shooting gun is probably not the right way to go.
In my mind all of these points argue strongly against putting work into
this, even if the RRR channel was likely to adopt it, which I am
extremely skeptical about.
It would be very helpful to be able to do automatic delegation updates
in lower levels of the DNS tree.
I'm not 100% dead set against the idea, just mostly thinking it's not a
good avenue to pursue. It would be easier to judge if we had a more
concrete proposal to chew on.
Doug
--
... and that's just a little bit of history repeating.
-- Propellerheads
Improve the effectiveness of your Internet presence with
a domain name makeover! http://SupersetSolutions.com/
_______________________________________________
DNSOP mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dnsop
