On 25 Apr 2014, at 11:14, Phillip Hallam-Baker <hal...@gmail.com> wrote:
> The existing DNS works as far as the people running their firewalls > are concerned. The failure of TCP fallback in practice has been an > understood problem for 20+ years. Understood, perhaps; measured and understood, not so much. What is sorely missing from most/all protocol evolution discussions is a rigorous study of the actual impact of larger response sizes, fragmentation, interception/middebox-mangling, TCP fallback and TCP pipelining in the real world in at least two problem domains, recursive-authority and stub-recursive. > If people want to design a protocol that is going to be usable, they > are going to end up having to accept some constraints that are not in > the specs. And it would be great if we could describe those constraints with confidence. There was concern that signing ORG might cause resolution problems due to larger responses, or might cause TCP fallback on a scale not seen before. The former were not apparent. The latter happened (due to a defect in the signer used for ORG) but did not cause any obvious problems. There was widespread expectation that DNSSEC in the root zone would impact resolvers' ability to prime, hence the DURZ, global netops meeting roadshow, LTQC, etc. No issues were identified. We will get much further, much more quickly if we know more about what problems are likely and which ones are unlikely. Being afraid of every possible negative outcome is just a recipe for doing nothing. No useful risk analysis is possible without data. Joe _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
