[EURO-Discuss] ALAC-WG on DNSSEC
jefsey at jefsey.com
Mon Sep 1 09:24:25 EDT 2008
At 11:03 01/09/2008, Lutz Donnerhacke wrote:
>On Mon, Sep 01, 2008 at 01:59:34AM +0200, JFC Morfin wrote:
> > At 01:04 01/09/2008, Lutz Donnerhacke wrote:
> > >Please understand why the IANA >signed root is not considered as
> > >production ready: They do construct errors in the zone to see how
> > >clients in the testbed react.
> > So, you mean they actually are working actively on deploying DNSSEC
> > without anyone being informed?
>Why did you not inform yourself before blaming others?
I blame no one. I just infer from your semantic (and side echoes from
ccNSO) that the actual purpose is not technical validation but
production, while production implies much more than technical validation.
> > I understand now why brother Danny teases us in asking if this is not
> > a too urgent matter for ALAC :-)
>DNSSEC is one of the current activities of ICANN and therefore a current
>matter for ALAC. One might ask if DNSSEC is too urgent for AtLarge, the
>ALSes, and the users out there. Because AtLarge should guide the process,
>the ALSes should think about this subject. That's why I like to have a track
>on the summit.
This is correct. However, my question is for the ALAC (on behalf of
the users) to decide first that DNSSEC / EDNS0 and NSEC3 is the way
to go, technically, strategically and politically wise. The role of
an advisory committee is to just that, not to copy others' positions.
In the process ALAC should also come with additional DNSSEC
deployment advises about the user side and the global consistency.
For example, I raised the question at the IETF/WG-IDNABIS of the
DNSSEC + IDN + IDNccTLD datagram size. When you consider the real
status of the Internet
you see that the EDNS0 proportion decreases. This means that both
DNSSEC and IDNA will call for an EDNS oriented promotion campaign,
IPv6 can only benefit from. Would that not be the proper time to
review the whole thing and build upon the synergy to base everything
on an EDNS1 everyone could easily load (those to make aware and those
who already have understood why they needed ENDS0)?
> > >Please do not spread such FUD. Either you know that they pay for or drop
> > >your suggesting wordings here.
> > I just read their own stuff and look at their welcome page.
> > http://www.unbound.net/
>Of course. Unbound is sponsored by Verisign and the code was written by the
>big, bad, and ugly NSA agents. ... Sorry, please let keep us on safe grounds.
If this is your position I leave it to you. If it is supposed to a
joke at mine, I afraid you are totally out target :-)
> > >No. From the experience of roll out IPv6 as well as DNSSEC, I'm
> pretty sure,
> > >that DNSSEC is much much easier. You do not need to touch every device in
> > >the net. Only the DNS servers.
> > You need to touch _every_ resolver otherwise it does not make sense,
> > except for merchants. We do not want they have an alibi to control us
> > and charge us more. We want to be protected, including from them. The
> > real daily danger for people's DNS are ISP name servers. Not a big
> > one but a real one.
>You only have to touch your last trustworthy DNS server for providing DNSSEC
>validation. The clients are usually not involved. The application software
>is usually not involved.
>You only have to touch your authoritive DNS server for providing DNSSEC.
>That's why the introduction of DNSSEC is much easier than any IPv6 rollout.
As Euralo we have no Chinese user online. It would be interesting to
know from them. Or from Comcast.
>I do not want to talk about my business here. I try to keep it separate.
>So if you do not want to read about commericial issues, please stop reading.
Thank you for your answers. They are not commercial and show:
1) this is an operational market
2) for professionals who plan to run DNSSEC by their own in the
future. I suppose it could be carried further on for private users.
3) the industrial cost is not prohibitive and will probably decrease
if industrialised for end users. So there is a possible side-business plan.
4) the service would be operated for the time being by real
professionnals, so they would be flexible to system updates.
5) there are business cases that can be documented even for private users.
We could have most this information at the ALAC summit, through your
This would therefore help us very much to best assess an ICANN and/or
DHS DNSSEC-Bis strategic plan and to possibly improving it as a
DNSSEC-Ter user and an IPv6/ROAP/BGP/NSEC3/EDNS1/ML-DNS/ISO11179
oriented consistent review.
This is really great. First time in years that we can have an @large
feed-back to the IETF/ICANN.
More information about the EURO-Discuss