Hi Paul,

Don't judy other's motivation with meaningless skeptics. The endless
skeptics can also push on your RPZ to DNSSEC.

As an network engineer, I think good faith is face to the realistic
internet world, try my best to offer a better solution to technology
problem.

If we anticipated the subdomain wildcard scenario when designing wildcard
years ago, *make Authoritative give more precise wildcard information to
Recursive* (SWILD) is natually.
SWILD is not starting from "desire", not to mention "reducing DNSSEC
deployment".

*1) I believe,  reduce solution interdependence between different problem
areas is comfortable.*

Subdomain wildcard cache issue solution is not need to bind with security
issue,  in natural.

*2) I believe,  design an alternative solution to an existed problem is
ordinary.*

IPv4/IPv6 Migration can use Tunnel, NAT, ...
Subdomain wildcard cache optimization can use NSEC aggressive wildcards,
SWILD, ...

You can oppose to SWILD,  but wish you not oppose to the alternative
solution designing.

*3) I believe,  network protocol / feature deployment progress is decided
by the key function, not because of additional function.*

IPv6 deployment  will sharply rise mostly because of *IPv4 addresses
exhaustion*,  but almost impossible because of any improved IPv6 featue
that IPv4 not have, such as MTU detect, auto addressing, built in IPsec, ...
DNSSEC deployment will sharply rise if global nameservers desire *dns
security*, but almost impossible because of an addtional wildcards feature.

That is why I say "SWILD has no influnence on reducing DNSSEC deployment",
going further,  "NSEC aggressive wildcard has no influnence on rising
DNSSEC deployment".

Repeat the Google example,  as far as I can see:
- Google has expert on NSEC aggressive wildcard.
- Google likes to support some optimized protocols/features, such as QUIC,
SPDY, ...

Nowadays: dig @ns1.google.com xxxxxxxx.google.com +dnssec, only return
NXDOMAIN.
Sum it up, I believe Google will deploy DNSSEC because of DNS SECURITY NEED
in future, more probability than because of NSEC aggressive wildcards.


Paul Vixie <p...@redbarn.org>于2017年8月15日周二 上午5:32写道:

> WG Chairs: i oppose adoption of this draft.
>
> Lanlan Pan wrote:
> > Hi Paul,
> >
> > ...
>
> tl;dr: this message marks the end of this thread from my side.
>
> > I think, SWILD has no influence on DNSSEC deployment : 1) If
> > recursive wants to deploy DNSSEC, it is almost impossible because of
> > NSEC/NSEC3 aggressiveuse Wildcards. *Security need is the greatest
> > motivation behind DNSSEC depolyment.* 2) If recursive doesn't want
> > to deploy DNSSEC, it is almost impossible because of SWILD. Imagine
> > that, there is no SWILD to give precise subdomain wildcard
> > information from authoritative, recursive can use random subdomain
> > detect method to make cache optimization, which was described in DNS
> > Noise: Measuring the Pervasiveness of Disposable Domains in Modern
> > DNS Traffic
> > <http://astrolavos.gatech.edu/articles/dnsnoise-dsn2014.pdf>.
>
> Mr. Pan, your words above are a striking example of absurd reduction,
> which through a series of difficult-to-assail false equivalencies, an
> outcome unacceptable to your correspondent may begin to "look good on
> paper".
>
> Proof of this can by found by trying to reason your way to the
> conclusion you are offering, by any other path. You'll find this
> difficult, since the likelihood of someone deploying DNSSEC if it has no
> compelling features is lower, and aggressive negative caching with or
> without a wildcard is a feature of both DNSSEC and SWILD.
>
> In any case I find that you are arguing in bad faith, starting from your
> desire and then finding ways to justify it, rather than starting from
> the facts and finding out where those lead to. I won't play along any
> further. For your possible use, see these words from the NY Times
> opinion pages, published a day or so ago:
>
> <<What becomes clear to anyone following the climate debate, however, is
> that hardly any climate skeptics are in fact trying to get at the truth.
> I’m not a climate scientist, but I do know what bogus arguments look
> like — and I can’t think of a single prominent climate skeptic who isn’t
> obviously arguing in bad faith.
>
> Take, for example, all the people who seized on the fact that 1998 was
> an unusually warm year to claim that global warming stopped 20 years ago
> — as if one unseasonably hot day in May proves that summer is a myth. Or
> all the people who cited out-of-context quotes from climate researchers
> as evidence of a vast scientific conspiracy.>>
>
> --
> P Vixie
>
> --
致礼  Best Regards

潘蓝兰  Pan Lanlan
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop

Reply via email to