Hi, First, let me say that I like Mark's sketch of ENAME that I read on this list. (To disclose my bias, I had a much inferior, faintly similar idea a couple years ago, but it was not complete, and not as compact or elegant. The customer I offered it to therefore told me not to pursue it.) I think the ENAME suggestion is a promising idea (though it needs fleshing out and deeper evaluation). I think it is a vast improvement over the last suggestion in this direction (BNAME). Nevertheless,
On Tue, May 20, 2014 at 09:43:42AM +1000, Mark Andrews wrote: > the zone support it. It would just be insecure until validators > catch up. …I think that may be a little too glib. Given the DNSSEC environment these days, I'm not sure we can just shrug our shoulders at the idea of breaking DNSSEC validators. Replacing validators on a large scale takes perhaps 18-24 months (it's a new feature, and a lot of "stable" server systems are now committed to no feature change in that time scale), and likely longer for really complete penetration. End point validation uptake is worse; but on the other hand that continues to be an enthusiast market, so it might be ok. _But_, there might be a slightly better argument. The driving use cases for ENAME are for zones that today are almost certainly not signing and, perhaps more importantly, have a whole bunch of challenges in signing. "Stupid DNS tricks" in the presence of DNSSEC are awful hard. Given the still-low utility in end point validation, an administrator of such a candidate zone might not be ready to adopt DNSSEC anyway. So, if we quickly added ENAME and got the algorithm change in place, then validators might be ready in time. I can't say I'm optimistic about this. ENAME would require special server-side processing, so it's full standards action. If we as a community are actually convinced this is worth doing, however, then we ought to be able to crank this out in 3-5 months. I have heard people claim that we shut down DNSEXT too fast. It took years to do that, which I took to be evidence that we did it too slowly. Perhaps this is an opportunity for those who think I was too keen to prove what a jerk I am. That oughta be incentive ;-) Best regards, A -- Andrew Sullivan [email protected] _______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
