On Apr 13, 2012, at 6:02 PM, Patrik Fältström wrote: > > On 13 apr 2012, at 23:43, Nicholas Weaver wrote: > >> Likewise, comcast being blamed for... > > Because (1) they seem to be the only large resolver operator that do > validation(?) and (2) people like us on this list try to work out end runs > around the standards we created instead of helping Comcast. > > Yes, I blame myself personally there as well for not doing enough. I was > working hard when we deployed DNSSEC in Sweden to counter attack all such > arguments in the press that you refer to, and I thought, naively, that as we > managed to go through those issues, other people would as well. > > But as I said in an earlier message, maybe we where lucky in Sweden that all > major ISPs did deploy validation at the same time. In the US it seems to be > Comcast only(?). > > What would have happened if AT&T and Comcast and Verizon started validation > basically the same week?
Yes, but AT&T, Verizon, Cox, BestWeb, RR, TW, etc are currently *not* doing validation, and currently don't have much in the way of incentives to start -- yes, NASA was an unusual event, but what was the standard advice that kept popping up on twitter / forums / fb, etc? "Change your resolver to be 8.8.8.8 and the problem is fixed" -- now, I'm all for folk changing to use Google's resolvers, but to avoid validation isn't the right reason… Yes, NTAs suck and have some really bad security implications, but I believe that the alternative is worse. Without a way for validating resolver operators to avoid users jumping ship to non-validation resolver operators we delay adoption (imo significantly) and users are at a much larger risk for a much longer time. Once most ISPs are performing validation there should be fewer screwups, and NTAs should be almost never needed -- but until we get to that point I think that they are needed, and the net security wins outweigh the costs… W [ Written on a plane, will send when I land. The conversation may have moved on since then… ] > > Now of course we can not turn back clock, but I think still "we give up too > early" if we go down this path. > > That is my reason for a +1. > > Now I will go to sleep. It is Friday, and I feel I am hijacking this thread. > Violating principles of IETF lists I like myself. > > More people should say what they want to say. > > Patrik > > _______________________________________________ > DNSOP mailing list > DNSOP@ietf.org > https://www.ietf.org/mailman/listinfo/dnsop > _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
