Re: [dns-operations] Geoff Huston on DNS-over-TCP-only study.

2013-08-22 Thread Wolfgang Nagele
+1 I would love to see more discussion on the implication of it's findings than the semantics of how they were presented. There is a lot to learn from the information the measurement has delivered. On 8/22/13 2:14 PM, "Fred Morris" mailto:m3...@m3047.net>> wrote: On Wed, 21 Aug 2013, Dobbins,

Re: [dns-operations] Implementation of negative trust anchors?

2013-08-22 Thread Randy Bush
> I'm still not convinced that the right answer is not to standardise, > or not to write up a BCP how about a wcp? nancy regan was right. i am still at the other end of the elephant. why is the frelling software on the farbled server not detecting that is has been farbled and screaming loudly?

Re: [dns-operations] Implementation of negative trust anchors?

2013-08-22 Thread Joe Abley
Hi Randy, On 2013-08-22, at 16:58, Randy Bush wrote: >> I think we need to acknowledge that there will always be signing >> problems > > < from a conversation with a friend wiser than i > > > the problem is that we are going through a deployment phase where there > is little penalty for sloppy

Re: [dns-operations] Implementation of negative trust anchors?

2013-08-22 Thread Paul Vixie
Randy Bush wrote: > < from a conversation with a friend wiser than i > > > the problem is that we are going through a deployment phase where there > is little penalty for sloppy server ops because so few are validating. > > patching over this to be more tolerant of sloppy server ops is going in >

Re: [dns-operations] Implementation of negative trust anchors?

2013-08-22 Thread Cutler James R
On Aug 22, 2013, at 7:05 PM, Suzanne Woolf wrote: > On Aug 22, 2013, at 6:25 PM, Paul Vixie wrote: > >> >> >> Paul Hoffman wrote: >>> >>> On Aug 22, 2013, at 2:47 PM, David Conrad wrote: >>> A resolver operator deploying an NTA is making an assertion that data behind a name is s

Re: [dns-operations] Implementation of negative trust anchors?

2013-08-22 Thread Vernon Schryver
> From: Suzanne Woolf > I don't like it either, but it limits the damage done by a DNSSEC = > failure to status quo ante rather than something worse. That is mistaken. You get the status quo ante by simply turning off validation. Turn off validation is the only sane response this year to phone

Re: [dns-operations] Implementation of negative trust anchors?

2013-08-22 Thread Paul Vixie
Suzanne Woolf wrote: > > On Aug 22, 2013, at 6:25 PM, Paul Vixie > wrote: > >> ... i don't like NTA. if my signatures don't work because i've been >> attacked (for example, one of my name servers has been compromised), >> the last thing i'd want is comcast telling their

Re: [dns-operations] Implementation of negative trust anchors?

2013-08-22 Thread Randy Bush
> I think we need to acknowledge that there will always be signing > problems < from a conversation with a friend wiser than i > the problem is that we are going through a deployment phase where there is little penalty for sloppy server ops because so few are validating. patching over this to be

Re: [dns-operations] Implementation of negative trust anchors?

2013-08-22 Thread Suzanne Woolf
On Aug 22, 2013, at 6:25 PM, Paul Vixie wrote: > > > Paul Hoffman wrote: >> >> On Aug 22, 2013, at 2:47 PM, David Conrad wrote: >> >>> A resolver operator deploying an NTA is making an assertion that data >>> behind a name is safe despite protocol indications that is may not be. >> >> Whe

Re: [dns-operations] Implementation of negative trust anchors?

2013-08-22 Thread Paul Vixie
Paul Hoffman wrote: > On Aug 22, 2013, at 2:47 PM, David Conrad wrote: > >> A resolver operator deploying an NTA is making an assertion that data behind >> a name is safe despite protocol indications that is may not be. > > Where is that stated? I ask, because it would seem that a better descri

Re: [dns-operations] Implementation of negative trust anchors?

2013-08-22 Thread Paul Hoffman
On Aug 22, 2013, at 2:47 PM, David Conrad wrote: > A resolver operator deploying an NTA is making an assertion that data behind > a name is safe despite protocol indications that is may not be. Where is that stated? I ask, because it would seem that a better description would be that they are

Re: [dns-operations] Implementation of negative trust anchors?

2013-08-22 Thread David Conrad
Doug, On Aug 22, 2013, at 12:06 PM, Doug Barton wrote: > As stated before, the problem is that after the "early adopter" period is > over we'll be stuck with NTAs forever. A resolver operator deploying an NTA is making an assertion that data behind a name is safe despite protocol indications t

Re: [dns-operations] Implementation of negative trust anchors?

2013-08-22 Thread Joe Abley
On 2013-08-22, at 12:06, Doug Barton wrote: > As stated before, the problem is that after the "early adopter" period is > over we'll be stuck with NTAs forever. I think we need to acknowledge that there will always be signing problems, and there will always be validator operators who know tha

Re: [dns-operations] Implementation of negative trust anchors?

2013-08-22 Thread Edward Lewis
(Just using this to launch into a tirade.) On Aug 22, 2013, at 15:59, wrote: > Running the DNS for 100+ school districts and 400,000+ devices I really, > REALLY don't want to be the one saying "Sorry, you can't use the site > called for in your lesson plan today because they messed up the DNSS

[dns-operations] Reminder about upcoming .gov algorithm roll

2013-08-22 Thread Wessels, Duane
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 This notice is a reminder that an algorithm roll for the .gov zone will take place in the upcoming weeks. The .gov zone is currently signed with algorithm 7 (RSASHA1-NSEC3-SHA1) and will be changed to use algorithm 8 (RSA/SHA-256). The schedule for t

Re: [dns-operations] Implementation of negative trust anchors?

2013-08-22 Thread Paul Vixie
Keith Mitchell wrote: >>> From: Doug Barton >>> As stated before, the problem is that after the "early adopter" period >>> is over we'll be stuck with NTAs forever. This is one of those >>> fundamental disagreements between those who believe that DNS should >>> always be forgiving of operator

Re: [dns-operations] Implementation of negative trust anchors?

2013-08-22 Thread Vernon Schryver
> From: wbr...@e1b.org > Running the DNS for 100+ school districts and 400,000+ devices, I really, > REALLY don't want to be the one saying "Sorry, you can't use the site > called for in your lesson plan today because they messed up the DNSSEC > records." Management's response would be "Just m

Re: [dns-operations] Implementation of negative trust anchors?

2013-08-22 Thread Keith Mitchell
>> From: Doug Barton > >> As stated before, the problem is that after the "early adopter" period >> is over we'll be stuck with NTAs forever. This is one of those >> fundamental disagreements between those who believe that DNS should >> always be forgiving of operator error, and those of us wh

Re: [dns-operations] Implementation of negative trust anchors?

2013-08-22 Thread WBrown
> From: Doug Barton > As stated before, the problem is that after the "early adopter" period > is over we'll be stuck with NTAs forever. This is one of those > fundamental disagreements between those who believe that DNS should > always be forgiving of operator error, and those of us who do no

Re: [dns-operations] Implementation of negative trust anchors?

2013-08-22 Thread Vernon Schryver
> From: Doug Barton > > >+lots. Penalizing the early adopters simply leads to no deployment. How long after the start of significant DNSSEC deployment (say the signing of com) will the early adopter period end? When I say that comment about early adopters, my first thought was "Yes, perhaps

Re: [dns-operations] Implementation of negative trust anchors?

2013-08-22 Thread Doug Barton
On 08/22/2013 08:29 AM, Mehmet Akcin wrote: On 8/21/13 11:25 AM, "Warren Kumari" mailto:war...@kumari.net>> wrote: >>>FWIW, I remain opposed to the idea, but trying to do due diligence. >> I still like the idea as it is the only way for big resolver providers >>to deploy D

[dns-operations] xn--l1acc TLD gone bad already

2013-08-22 Thread Chris Thompson
The TLD "xn--l1acc" (an IDN for Mongolia) which was only added to the root zone last weekend, signed and with a DS right from the outset, seems to have got into trouble already. It looks as if a KSK rollover from a key with id 29566 to one with id 38599 has been applied without changing the DS RR

Re: [dns-operations] Implementation of negative trust anchors?

2013-08-22 Thread Mehmet Akcin
> > On 8/21/13 11:25 AM, "Warren Kumari" wrote: > > >>>FWIW, I remain opposed to the idea, but trying to do due diligence. > >> I still like the idea as it is the only way for big resolver providers > >>to deploy DNSSEC when there competitors have not. > > > >+lots. Penalizing the early adopters s

Re: [dns-operations] Implementation of negative trust anchors?

2013-08-22 Thread Livingood, Jason
On 8/21/13 11:25 AM, "Warren Kumari" wrote: >>>FWIW, I remain opposed to the idea, but trying to do due diligence. >> I still like the idea as it is the only way for big resolver providers >>to deploy DNSSEC when there competitors have not. > >+lots. Penalizing the early adopters simply leads to