Hi Ted,
At 06:02 15-05-2014, Ted Lemon wrote:
I think it's worth documenting this option because there's a code
reserved for it, but I think it's highly questionable whether it
makes the internet better, because it encourages practices with DNS
that wind up violating the expectations resolvers
On May 16, 2014, at 5:35 AM, S Moonesamy sm+i...@elandsys.com wrote:
I sent a few comments about that CDNI draft. The DNS discussion in the draft
was problematic. It is worth documenting what people are doing. It is
worthwhile to consider whether the mechanism should be standardized by the
On 5/16/14, 8:18 AM, Andrew Sullivan wrote:
On Thu, May 15, 2014 at 09:02:43AM -0400, Ted Lemon wrote:
makes the internet better, because it encourages practices with DNS
that wind up violating the expectations resolvers might have for
consistency of zones and so on.
Despite my personal
On May 16, 2014, at 8:18 AM, Andrew Sullivan a...@anvilwalrusden.com wrote:
But it seems to me we ought to
be more enthusiastic than resigned in this case, even if we have to
hold our collective nose as well. Either those who understand how the
DNS works will document what to do, or else
ICANN is a Contractor of the US Government - Department of Commerce
The following TEXT from .MARS is provided for .EARTH Archive Purposes Only
cat is one of the original UNIX commands - Sending email to C@T uses
the .T Top Level Domain
On May 16, 2014, at 10:00 AM, Olafur Gudmundsson o...@ogud.com wrote:
few people saying this would cause the world to end and calling the
proponents names.
FWIW, when mailing list subscribers behave this way, what they say probably
can't easily be considered part of the consensus evaluation,
On Fri, May 16, 2014 at 7:24 AM, Nicholas Weaver
nwea...@icsi.berkeley.eduwrote:
No its not. All you have to be willing to do is release the constraint on
all signatures offline. Doing online signatures allows all the CDN
functionality you want to be DNSSEC validated (not like DNSSEC really
On May 16, 2014, at 10:24 AM, Nicholas Weaver nwea...@icsi.berkeley.edu wrote:
No its not. All you have to be willing to do is release the constraint on
all signatures offline. Doing online signatures allows all the CDN
functionality you want to be DNSSEC validated (not like DNSSEC really
On May 16, 2014, at 10:29 AM, Colm MacCárthaigh c...@allcosts.net wrote:
You won't survive a trivial DOS from a wristwatch computer with that approach
:) Having static answers around greatly increases capacity, by many orders of
magnitude.
Argh. Having just agreed with Nick, I have to
On May 16, 2014, at 7:29 AM, Colm MacCárthaigh c...@allcosts.net wrote:
And even 4096b RSA signatures only take a handful of milliseconds to
construct on the fly, you can cache signature validity for minutes even in
the very dynamic case, and this is one of those operations that parallelize
On 05/16/2014 02:18 PM, Andrew Sullivan wrote:
First, if resolvers have expectations about consistency of zones and
so on, then they're broken. The DNS has only ever been loosely
coherent. You're simply _not allowed_ to make that assumption from
any point in the network except inside the
On Fri, May 16, 2014 at 7:34 AM, Nicholas Weaver
nwea...@icsi.berkeley.eduwrote:
On May 16, 2014, at 7:29 AM, Colm MacCárthaigh c...@allcosts.net wrote:
And even 4096b RSA signatures only take a handful of milliseconds to
construct on the fly, you can cache signature validity for minutes
On May 16, 2014, at 7:44 AM, Colm MacCárthaigh c...@allcosts.net wrote:
Actually, you can. You prioritize non-NSEC3 records, since thats a finite,
identifiable, priority set, and cache the responses. Thus if you have 10k
valid names, each with 100 different possible responses, and have a
On May 16, 2014, at 10:54 AM, Nicholas Weaver nwea...@icsi.berkeley.edu wrote:
You miss my point. That server is doing a million QPS, but its only
providing ~16k/s distinct answers.
[...]
I will reiterate that it would be really wonderful if all this creative energy
could go into writing
On Fri, May 16, 2014 at 7:50 AM, Paul Vixie p...@redbarn.org wrote:
what we do have is advice: if you're going to do this, here is a way
that works. in many cases, and DNSSEC is an example, the advice has an
additional property: if you want a system like this, here is how
everybody else is
On Fri, May 16, 2014 at 7:54 AM, Nicholas Weaver
nwea...@icsi.berkeley.eduwrote:
16k/second is nothing, and I can generate that from a wristwatch
computer. Caching doesn't help, as the attackers can (and do) bust caches
with nonce-names and so on :/ A 16 core machine can do a million QPS
Hi Ted,
At 04:56 16-05-2014, Ted Lemon wrote:
Did you feel that your comments were adequately addressed by the
working group?
I gave up on reading the first response to my comments as I did not
want to push back strongly; it's an effort and it can be viewed as
antagonistic.
Regards,
S.
On Fri, May 16, 2014 at 04:41:17PM +0200, Jelte Jansen wrote:
To implement client-subnet means to implement a form of views within
your resolver in the form of split caches. If you don't implement it at
all there is no problem, but it certainly does change the model of the
world that
On May 16, 2014, at 11:02 AM, S Moonesamy sm+i...@elandsys.com wrote:
I gave up on reading the first response to my comments as I did not want to
push back strongly; it's an effort and it can be viewed as antagonistic.
I think there's a fine line between ratholing and not getting the point
I don't want to spend a lot of time in this rathole (and this will be
my last remark on it), but I want to clarify something about what I
was trying to say. I suppose I should have picked better language.
On Fri, May 16, 2014 at 07:50:10AM -0700, Paul Vixie wrote:
not allowed is interesting
one of the icann ssac (then secsac) consensus processes i am most
proud to have been part of was this, in 2004:
http://www.icann.org/en/groups/ssac/report-redirection-com-net-09jul04-en.pdf
indeed, this document and the process followed in creating it may still
stand today, as ssac's finest
Tim,
On May 16, 2014, at 9:31 AM, Tim Wicinski
tjw.i...@gmail.commailto:tjw.i...@gmail.com
wrote:
On 5/16/14, 8:18 AM, Andrew Sullivan wrote:
Second, the Internet is actually working today using those kinds of
CDN tricks. Indeed, some of the most important and most successful
nodes on the
You would be insane to publish varient DS records with edns-client-subnet
to the public as there is no requirement for clients to use the
same address to lookup DS records as they use to lookup DNSKEY
records. Similarly for DNSKEY or RRSIGs based on DNSKEYs which are
varient based on
domain ENAME domain {0|1} [type list of included / excluded types]
(0 == include, 1 == exclude)
domain ENAME domain 1 is equivalent to domain CNAME domain
(exclude nothing)
domain ENAME domain 1 NS DNSKEY SOA is CNAME at apex
On 17May14, Mark Andrews allegedly wrote:
domain ENAME domain {0|1} [type list of included / excluded types]
(0 == include, 1 == exclude)
As I recall, the HTTP/2.0 folks have been intermittently talking about
supporting SRV. Would encouraging that group on that front be
Mark Delany wrote:
On 17May14, Mark Andrews allegedly wrote:
domain ENAME domain {0|1} [type list of included / excluded types]
(0 == include, 1 == exclude)
As I recall, the HTTP/2.0 folks have been intermittently talking about
supporting SRV. Would encouraging that group
26 matches
Mail list logo