On Wed, 15 Jul 2009, Paul Hoffman wrote:
and working with it. With manipulating my laptop's DNS asking for MY
OWN cryptographically signed data, you are asking me to throw out the
crypto protection and make me accept a downgrade attack.
Then use a different DNS resolver.
If I use my own validating stub resolver I can't make it to the portal page.
If I use the dhcp supplied dns server, i cannot securely get to my sites.
This document is about how to do one type of resolution, not all types.
The document seems to list what it considers tolerable and intolerable DNS
manipulations. My whole point is that no one will ever agree on those
categorisations, and it is easier to draw the line at "no endorsements".
The IETF allowing or endorsing any kind of DNS forging in the age of
DNSSEC is simply wrong.
This is more hyperbole that does not help the discussion. The IETF is not in the position to
"not allow" anything, and it never has been. An Informational RFC is not
"endorsing" anything.
If you want to endorse not doing what this proposed Informational RFC
describes, write such a document and have it on standards track, or BCP.
Tell me, what is the goal of this informational rfc? To list common methods
for not adhering to standards and how to classify them? and condemn some
of them as bad? Who is meant to be informed, and what is the goal of this
information to such a person? Will this person be better able to design
new protocols? deal with the current standards-breaking?
Some marketing person is going to wave the RFC number and say "It's allright",
and my saying "But it was only an informational" is not going to make a
difference. So I can clearly see the abuse of such an informational RFC,
but I have yet to understand who this draft will benefit the community. And
by classifying some DNS rewrites as bad and some as non-bad, this rfc
becomes more then just a bit of information. It becomes an endorsement.
Paul
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
