----- Original Message ----- > From: "Mark Andrews" <ma...@isc.org>
[ vix: ] > > > meanwhile isc continues to push for ubiquitous dnssec, through to > > > the stub, > > > to take this issue off the table for all people and all time. > > > (that's "the > > > real fix" for nxdomain remapping.) > > > > You really believe that the outcome of that will be "we can't make > > some > > extra revenue off NXDOMAIN remapping because of DNSSEC? Well, the > > hell > > with DNSSEC, then"? > > People will route around ISP that do stupid things. They do so > today. When your browers supports DANE there will be more incentive > to ensure that DNSSEC does not break and more incentive to route > around ISP's that do break DNSSEC. My personal reaction to that, Mark, is to say that you *badly* overestimate the average Internet end-user (who make up, roughly, 80% of the endpoints, in my jackleg estimation). > Even a ISP that is redirecting on NXDOMAIN wants to be sure that > it is a real NXDOMAIN not one that is spoofed do the path to the > ISP's resolver will be DNSSEC clean and they will be validating. I'm not sure I understood that... > Until stub resolvers set DO=1 pretty much ubiquitously this won't > be a problem for ISP's that want to do nxdomain redirection. There > still plenty of crappy DNS proxies in CPE routers to be replaced > before you can just set DO=1 as a default without worrying about > breaking DNS lookups. Even setting EDNS as a default is a issue. ...but that's probably because I don't understand DNSSEC well enough. > That said we are starting down the long path to making it EDNS a > default. DiG in BIND 9 defaults to using EDNS and "dig +trace" > turns set DO=1 as well. You don't get things fixed if the breakage > is not visible. We may be talking about different breakage here... Cheers, -- jra -- Jay R. Ashworth Baylink j...@baylink.com Designer The Things I Think RFC 2100 Ashworth & Associates http://baylink.pitas.com 2000 Land Rover DII St Petersburg FL USA http://photo.imageinc.us +1 727 647 1274
