On Tue, 12 Aug 2008, Dean Anderson wrote:
On Mon, 11 Aug 2008, Paul Wouters wrote:
[Paul Wouters is a frequent NANOG poster.]
a handful of postings in years is frequent?
DNSSEC has been deployed on large scale by some TLD's and RIR's already.
It is very much operational.
Not very much--99 domains out of 70 million in .com.
"America is not the world"
Your argument would be stronger if you identified which TLD's and which
RIR's.
http://www.xelerance.com/dnssec/ shows deployments per TPD, other people have
created lists of domains within other unsecure TLD's. These are regularly posted
to various lists, including dnssec-deployment, so loook there.
On top of that, perhaps check out:
http://ccnso.icann.org/surveys/dnssec-survey-report-2007.pdf
For example it shows that of 61 TLD's, 7% deployed DNSSEC in production, 5% has
a testbed
running, and of the remaining TLD's that don't have an implementation going,
33% is going
to deploy within the 1 year, and an additonal 38% is going to deploy in 3
years. It's really
time to put the "dnssec is not deployed" myth to bed.
How long do we hack around a system before before making a protocol
change? Sure, not every day, as EDNS0 proves, but surely using TXT
records and source port numbers for the next 25 years sounds like
overshooting it at the other end of the spectrum.
This is a very good point. We had an opportunity to replace the protocol
entirely in IPv6. That opportunity was squandered. Perhaps more
questions should be asked about this squandered opportunity in the right
forums, or maybe on a different subject line in this forum.
While historically intruiging, it has no relevance to DNSSEC.
1) What is more broken with DNSSEC then on DNS?
The question really should be 'What is LESS broken with DNSSEC than with
DNS?'
This shows more an unwillingness to discuss then anything else.
This is a completely irrational claim.
You "answer" my question by inverting it, using a cows vs animals inversion.
2) If DNSSEC is flawed, where is a better alternative?
I think there are indeed better alternatives. Bernstein calls for
development of alternatives.
So there are better alternatives, but even Mr. Bernstein wants to develop
alternatives, suggesting to me that tehre are currently no alternatives.
Nice circular logic there.
Note for the record that I just explained YOUR circular logic. Thank you for
confirming the flawed reasoning. I totally agree with you on that point.
Which again leads to you requiring more proof of 1) before shooting down
DNSSEC. If there is nothing better, and DNSSEC does not make it worse (and
some complexity in return for fixing the recent Kaminsky class bugs seems
pretty acceptable to me), then it is you who needs to do the work of
developing these 'better alternatives' that you so desire. "Consensus
and Running Code"?
The logic "if nothing better, therefore DNSSEC does not make it worse"
is a fallacy. There can indeed be no alternative (and thus nothing
better), while DNSSEC still makes things worse.
Worse then current DNS deployments? That's pretty hard to do. Didn't you
see or read Dan's presentation?
But to find alternatives, IETF has to stop silencing the people who
can figure out solutions, merely because those people oppose the
BIND cartel.
I'm skipping the conspiracy theory discussion bit. I see many clever people
who dare to stand up and show mistakes and propose alternatives.
You just said there were no alternatives.
People *proposed* alternatives. They were just not accepted as valid
alternatives
that were better then DNSSEC.
Dismissing the definite overt acts of misconduct as "conspiracy theory"
is merely a tricky attempt to avoid the facts.
Seeing how you responded to my emails, I am beginning to see their point.
The BIND cartel gave us the flawed solutions;
However, after I asked you to show these flaws, I was not answered. See
above.
You were answered about flaws; I referred you to documents describing
the flaws. The recent message from Dr. Bernstein more clearly answers
the 'flaws issue'.
I responded to those.
The current rushing is the "DNS is insecure! Adopt DNSSEC NOW!!!"
No, the current solution was "Let's not force everyone into DNSSEC now,
since that would be unsafe, so let's hack our way around a hack we did not
like in the past, but which seems to only short-term stopgap. Let's co-ordinate
a masive cross vendor source-port randomization patch".
Show is the problems. Brasil, Sweden and RIPE's reverse tree did not vanish
from the net when they implemented things. Resolvers of bug ISP's in Sweden
did not cause the Swedish endusers to lose connectivity to the internet.
Oh---So if the reverse trees didn't vanish, everything must be
alright... Sigh.
Let me help your english parsing:
" Show is the problems. [Brasil], [Sweden] and [RIPE's reverse tree] did not
vanish". I expected someone like you to know there are no CCTLD reverse trees.
Anyway, this discussion is not leading to anything constructive, so I am ending
my participation to it. Feel free to have the last word.
Paul
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop