Hi Paul, Don't judy other's motivation with meaningless skeptics. The endless skeptics can also push on your RPZ to DNSSEC.
As an network engineer, I think good faith is face to the realistic internet world, try my best to offer a better solution to technology problem. If we anticipated the subdomain wildcard scenario when designing wildcard years ago, *make Authoritative give more precise wildcard information to Recursive* (SWILD) is natually. SWILD is not starting from "desire", not to mention "reducing DNSSEC deployment". *1) I believe, reduce solution interdependence between different problem areas is comfortable.* Subdomain wildcard cache issue solution is not need to bind with security issue, in natural. *2) I believe, design an alternative solution to an existed problem is ordinary.* IPv4/IPv6 Migration can use Tunnel, NAT, ... Subdomain wildcard cache optimization can use NSEC aggressive wildcards, SWILD, ... You can oppose to SWILD, but wish you not oppose to the alternative solution designing. *3) I believe, network protocol / feature deployment progress is decided by the key function, not because of additional function.* IPv6 deployment will sharply rise mostly because of *IPv4 addresses exhaustion*, but almost impossible because of any improved IPv6 featue that IPv4 not have, such as MTU detect, auto addressing, built in IPsec, ... DNSSEC deployment will sharply rise if global nameservers desire *dns security*, but almost impossible because of an addtional wildcards feature. That is why I say "SWILD has no influnence on reducing DNSSEC deployment", going further, "NSEC aggressive wildcard has no influnence on rising DNSSEC deployment". Repeat the Google example, as far as I can see: - Google has expert on NSEC aggressive wildcard. - Google likes to support some optimized protocols/features, such as QUIC, SPDY, ... Nowadays: dig @ns1.google.com xxxxxxxx.google.com +dnssec, only return NXDOMAIN. Sum it up, I believe Google will deploy DNSSEC because of DNS SECURITY NEED in future, more probability than because of NSEC aggressive wildcards. Paul Vixie <p...@redbarn.org>于2017年8月15日周二 上午5:32写道: > WG Chairs: i oppose adoption of this draft. > > Lanlan Pan wrote: > > Hi Paul, > > > > ... > > tl;dr: this message marks the end of this thread from my side. > > > I think, SWILD has no influence on DNSSEC deployment : 1) If > > recursive wants to deploy DNSSEC, it is almost impossible because of > > NSEC/NSEC3 aggressiveuse Wildcards. *Security need is the greatest > > motivation behind DNSSEC depolyment.* 2) If recursive doesn't want > > to deploy DNSSEC, it is almost impossible because of SWILD. Imagine > > that, there is no SWILD to give precise subdomain wildcard > > information from authoritative, recursive can use random subdomain > > detect method to make cache optimization, which was described in DNS > > Noise: Measuring the Pervasiveness of Disposable Domains in Modern > > DNS Traffic > > <http://astrolavos.gatech.edu/articles/dnsnoise-dsn2014.pdf>. > > Mr. Pan, your words above are a striking example of absurd reduction, > which through a series of difficult-to-assail false equivalencies, an > outcome unacceptable to your correspondent may begin to "look good on > paper". > > Proof of this can by found by trying to reason your way to the > conclusion you are offering, by any other path. You'll find this > difficult, since the likelihood of someone deploying DNSSEC if it has no > compelling features is lower, and aggressive negative caching with or > without a wildcard is a feature of both DNSSEC and SWILD. > > In any case I find that you are arguing in bad faith, starting from your > desire and then finding ways to justify it, rather than starting from > the facts and finding out where those lead to. I won't play along any > further. For your possible use, see these words from the NY Times > opinion pages, published a day or so ago: > > <<What becomes clear to anyone following the climate debate, however, is > that hardly any climate skeptics are in fact trying to get at the truth. > I’m not a climate scientist, but I do know what bogus arguments look > like — and I can’t think of a single prominent climate skeptic who isn’t > obviously arguing in bad faith. > > Take, for example, all the people who seized on the fact that 1998 was > an unusually warm year to claim that global warming stopped 20 years ago > — as if one unseasonably hot day in May proves that summer is a myth. Or > all the people who cited out-of-context quotes from climate researchers > as evidence of a vast scientific conspiracy.>> > > -- > P Vixie > > -- 致礼 Best Regards 潘蓝兰 Pan Lanlan
_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop