> Masataka Ohta <mailto:mo...@necom830.hpcl.titech.ac.jp> > Saturday, March 14, 2015 1:02 AM > Randy Bush wrote: > >>> What problem are we specifically trying to solve here again? >> not break things that are working > > Yup. Qmail or any software produced by djb adhering the existing > standards of the Internet.
you say "adhering to ... standards". i say "depending on corner cases". ultimately what matters is whatever works. if cloudflare decides to stop answering QTYPE=ANY then it would take all million or so qmail customers complaining to cloudflare's NOC to get cloudflare to change its mind. i don't think that's going to happen, for a number of reasons, one of which is that the corner case qmail is depending on was a bad idea originally and has gotten nothing but worse since then. but let's run the experiment, shall we? > > > Paul Vixie wrote: > >> everything is broken, depending on whom you ask. > > The worst broken thing in DNS is DNSSEC. thank you for amplifying my point. > > As a person who have been saying DNSSEC has been broken from the > beginning, after which, as certain amount of operational experiences, > it was revised several times along ways to fix some (but not all), > IMHO, broken parts, may I volunteer to fix not ANT but DNSSEC entirely? > > Before replying me, remember that you have been saying, from the > beginning, that DNSSEC was OK if it were properly implemented. i probably said that fifteen years ago and maybe i said it again ten years ago. here is me, on record: > DNSSEC is a colossal flop, but not a mistake. It's an embarrassment, > but we'd do it all again if we had to. It's late -- it was started > years before the IPv6 effort but is (believe it if you can) even less > finished and less deployed than IPv6. It's ugly and complicated and if > we knew then what we know now we'd've scrapped DNS itself and started > from scratch just to avoid the compromises we've made. But we didn't > know then, etc., and what we have to do now is avert our gaze and > fully deploy this ugly embarrassing thing. > > Let me explain. > > ... (http://www.dnssec.net/why-deploy-dnssec) see also: > At the time of this writing DNSSEC mostly does not work. (http://www.circleid.com/posts/defense_in_depth_for_dnssec_applications/) > > I may temporally ignore fundamental operational impossibility of > DNSSEC and try to make it least harmful w.r.t. DDOS. uh, thanks? -- Paul Vixie
_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
