On Feb 17, 2013, at 23:19, Ted Lemon wrote: > What's local?
DNSSEC set out to step cache poisoning. Look at it from the cache's point of view. Local means "whatever the owner/operator of the cache" controls. From the time we began to develop validation, decision points were all covered by "local policy rules." DNSSEC is popularly known by it's supply side activity - how many zones are signed, etc. But that's a red herring when it comes to what DNSSEC is all about. So, local is what the operator of the cache (caching server[s]) wants it to be. > How does the local authority know to set a negative trust anchor? This seems > very labor-intensive and failure-prone. There is already a commercial market trading on the reputation of domain names. There are various of commercial sources that will recommend disrupting traffic to and from sources of, say, spam. This is in addition to the labor intensive process of investigating everything "yourself." The first step that is needed is to be able to have name servers turn off DNSSEC validation per domain name (=zone at times) and then back on. The next step is to figure out when should DNSSEC be turned off and on. The next step is to make this scaleable in some reasonable sense. I don't know "much" about this, in the sense I haven't been paying close attention. But I have been surprised to find that there's more progress on the first step that I'd have thought. I also know there's quite a bit of maturity in the latter two steps. But just not (the maturity that is) in publicly available documents. Again, because I haven't actually read the trust-anchors document(*), I can't honestly register support for it but it's probably (or I hope is) a first step into making what's already in play commercially appear in a publicly available document. (To date I'm just catching up on the mail list thread.) (*) - From a conversation a decade ago, I've learned it's best to be completely honest about whether you've actually read a document thoroughly when responding to a question from Ted. ;) Ok, so to be honest I might have read the draft in an earlier form, I certainly don't recall if I did. -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Edward Lewis NeuStar You can leave a voice message at +1-571-434-5468 There are no answers - just tradeoffs, decisions, and responses.
_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
