[EURO-Discuss] ALAC-WG on DNSSEC

JFC Morfin jefsey at jefsey.com
Mon Sep 1 09:24:25 EDT 2008


At 11:03 01/09/2008, Lutz Donnerhacke wrote:
>On Mon, Sep 01, 2008 at 01:59:34AM +0200, JFC Morfin wrote:
> > At 01:04 01/09/2008, Lutz Donnerhacke wrote:
> > >Please understand why the IANA >signed root is not considered as
> > >production ready: They do construct errors in the zone to see how
> > >clients in the testbed react.
> >
> > So, you mean they actually are working actively on deploying DNSSEC
> > without anyone being informed?
>
>Why did you not inform yourself before blaming others?
>http://ipv6.google.com/search?hl=de&q=ns.iana.org%2Fdnssec%2Fstatus.html

I blame no one. I just infer from your semantic (and side echoes from 
ccNSO) that the actual purpose is not technical validation but 
production, while production implies much more than technical validation.

> > I understand now why brother Danny teases us in asking if this is not
> > a too urgent matter for ALAC :-)
>
>DNSSEC is one of the current activities of ICANN and therefore a current
>matter for ALAC. One might ask if DNSSEC is too urgent for AtLarge, the
>ALSes, and the users out there. Because AtLarge should guide the process,
>the ALSes should think about this subject. That's why I like to have a track
>on the summit.

This is correct. However, my question is for the ALAC (on behalf of 
the users) to decide first that DNSSEC / EDNS0 and NSEC3 is the way 
to go, technically, strategically and politically wise. The role of 
an advisory committee is to just that, not to copy others' positions. 
In the process ALAC should also come with additional DNSSEC 
deployment advises about the user side and the global consistency.

For example, I raised the question at the IETF/WG-IDNABIS of the 
DNSSEC + IDN + IDNccTLD datagram size. When you consider the real 
status of the Internet 
(http://www.caida.org/workshops/wide/0801/slides/castro-ditl_comparison.pdf) 
you see that the EDNS0 proportion decreases. This means that both 
DNSSEC and IDNA will call for an EDNS oriented promotion campaign, 
IPv6 can only benefit from. Would that not be the proper time to 
review the whole thing and build upon the synergy to base everything 
on an EDNS1 everyone could easily load (those to make aware and those 
who already have understood why they needed ENDS0)?

> > >Please do not spread such FUD. Either you know that they pay for or drop
> > >your suggesting wordings here.
> >
> > I just read their own stuff and look at their welcome page.
> > http://www.unbound.net/
>
>Of course. Unbound is sponsored by Verisign and the code was written by the
>big, bad, and ugly NSA agents. ... Sorry, please let keep us on safe grounds.

If this is your position I leave it to you. If it is supposed to a 
joke at mine, I afraid you are totally out target :-)

> > >No. From the experience of roll out IPv6 as well as DNSSEC, I'm 
> pretty sure,
> > >that DNSSEC is much much easier. You do not need to touch every device in
> > >the net. Only the DNS servers.
> >
> > You need to touch _every_ resolver otherwise it does not make sense,
> > except for merchants. We do not want they have an alibi to control us
> > and charge us more. We want to be protected, including from them. The
> > real daily danger for people's DNS are ISP name servers. Not a big
> > one but a real one.
>
>You only have to touch your last trustworthy DNS server for providing DNSSEC
>validation. The clients are usually not involved. The application software
>is usually not involved.
>
>You only have to touch your authoritive DNS server for providing DNSSEC.
>
>That's why the introduction of DNSSEC is much easier than any IPv6 rollout.

As Euralo we have no Chinese user online. It would be interesting to 
know from them. Or from Comcast.

>------------------------------------------------------------------------
>I do not want to talk about my business here. I try to keep it separate.
>So if you do not want to read about commericial issues, please stop reading.
>------------------------------------------------------------------------

Thank you for your answers. They are not commercial and show:

1) this is an operational market
2) for professionals who plan to run DNSSEC by their own in the 
future. I suppose it could be carried further on for private users.
3) the industrial cost is not prohibitive and will probably decrease 
if industrialised for end users. So there is a possible side-business plan.
4) the service would be operated for the time being by real 
professionnals, so they would be flexible to system updates.
5) there are business cases that can be documented even for private users.

We could have most this information at the ALAC summit, through your 
presentation.
This would therefore help us very much to best assess an ICANN and/or 
DHS DNSSEC-Bis strategic plan and to possibly improving it as a 
DNSSEC-Ter user and an IPv6/ROAP/BGP/NSEC3/EDNS1/ML-DNS/ISO11179 
oriented consistent review.

This is really great. First time in years that we can have an @large 
feed-back to the IETF/ICANN.
jfc






More information about the EURO-Discuss mailing list