Lutz Donnerhacke lutz at thur.de
Mon Sep 1 11:01:59 EDT 2008

On Mon, Sep 01, 2008 at 03:24:25PM +0200, JFC Morfin wrote:
> I blame no one. I just infer from your semantic (and side echoes from
> ccNSO) that the actual purpose is not technical validation but 
> production, while production implies much more than technical validation.

I like to use the existing testbed for a two week production grade test over
the Cairo meeting. Consider it as a testbed, too. This does not mean, that
all root servers out there got be signed in those days, but the recursive
server at the meeting do the validation with the testbed servers.

> >DNSSEC is one of the current activities of ICANN and therefore a current
> >matter for ALAC. One might ask if DNSSEC is too urgent for AtLarge, the
> >ALSes, and the users out there. Because AtLarge should guide the process,
> >the ALSes should think about this subject. That's why I like to have a track
> >on the summit.
> This is correct. However, my question is for the ALAC (on behalf of 
> the users) to decide first that DNSSEC / EDNS0 and NSEC3 is the way 
> to go, technically, strategically and politically wise.

Yes, that should be discussed.

> The role of an advisory committee is to just that, not to copy others'
> positions. In the process ALAC should also come with additional DNSSEC
> deployment advises about the user side and the global consistency.


> For example, I raised the question at the IETF/WG-IDNABIS of the 
> DNSSEC + IDN + IDNccTLD datagram size. When you consider the real 
> status of the Internet 
> (http://www.caida.org/workshops/wide/0801/slides/castro-ditl_comparison.pdf) 
> you see that the EDNS0 proportion decreases.

The reason might be simple: DNS servers does not use EDNS0 by default
anymore, only when needed. And they turn off EDNS0 per server, if any error
occured. I would not claim that EDNS0 support decreased.

> >Of course. Unbound is sponsored by Verisign and the code was written by the
> >big, bad, and ugly NSA agents. ... Sorry, please let keep us on safe grounds.
> If this is your position I leave it to you. If it is supposed to a 
> joke at mine, I afraid you are totally out target :-)

I forgot to add an irony ascii-art, sorry.

> >That's why the introduction of DNSSEC is much easier than any IPv6 rollout.
> As Euralo we have no Chinese user online. It would be interesting to 
> know from them. Or from Comcast.

Why do you look far away? Why do you not accept experience from others?
What do you expect?


More information about the EURO-Discuss mailing list