On 12/28/2010 14:46, bmann...@vacation.karoshi.com wrote:
On Tue, Dec 28, 2010 at 11:41:18AM -0800, Doug Barton wrote:
Now OTOH if someone wants to demonstrate the value in having a
publication channel for TLD DNSKEYs outside of the root zone, I'm
certainly willing to listen. Just be forewarned that you will have an
uphill battle in trying to prove your case. :)
Doug
well, not to pick on you, or the choices made by VSGN,
but I -will- point out that there are many good reasons
to support an out of band method for moving critical data.
(lots of refs on the tradeoffs btwn OOB and IB channels are
to be found by your fav search engine).
... and while as a general principle I tend to agree with you, I was
pretty specific in what I asked for.
the Internet of last century relied in most cases on in-band
communications.
Actually I think I can make a pretty convincing argument that the
Internet of last century relied almost entirely on certain individuals
meeting face to face at IETF, RIR, and other meetings. But with respect
to the season I will attempt to be charitable.
and what we have seen is the creation of
overlays or outright independent "control plane" or C&C
networks to manage data flow with independent prioritization
over other traffic as the Internet has evolved. In this case
i think this DNSiSEC model is about 15 years behind the curve.
IMHO, key management should be able to use an OOB channel
when the in-band is corrupted or overlaoded. Reliance on
strictly the IB channel presumes there will be no problems
with that channel. EVER. For me, I don't want to take
that risk. YMMV of course.
I'm not sure I agree that an OOB channel would be useful here, even
given your premise. Yes, to some extent DNS is distributed, but I think
the degree of fate-sharing that is inherent in the system makes the OOB
validation scheme _for TLD DNSKEYs_ (which, again, is what I asked
about) at best useless, and at worst a giant waste of everyone's time to
try and do well.
I can't presume that you (or anyone else) share my values
You could have just stopped here. :)
regarding system resilience. For me, the choice made by
VSGN in regards to this zone presuposes bullet-proof and DDOS
proof communications between servers. No packet overloads,
no out of memory conditions, no link saturation, etc. I
appreciate that some might think they live in such a world.
I hope that you and VSGN are lucky. As for myself, I'm
making plans to have more control over my DNS verification
destiny.
If this "proves" my case to you, wonderful! If not, no sweat,
we'll agree to disagree.
Good plan.
Doug
--
Nothin' ever doesn't change, but nothin' changes much.
-- OK Go
Breadth of IT experience, and depth of knowledge in the DNS.
Yours for the right price. :) http://SupersetSolutions.com/
