On Mon, Jul 13, 2009 at 01:59:46PM +0200,
Roy Arends wrote
a message of 33 lines which said:
> SSAC's Report on DNS Response Modification
> http://www.icann.org/en/committees/security/sac032.pdf
Indeed. Good document. There is no need to discuss about
draft-livingood-dns-lie, all the issues r
On Mon, Jul 13, 2009 at 12:01:51PM -0700,
Paul Hoffman wrote
a message of 17 lines which said:
> Some of the services defined in the draft are highly desired by some
> Internet users.
I did not hear them so this sort of users is obviously not in the
dnsop WG :-) More seriously, noone mentione
* Alan Barrett:
> I think that this sort of lying recursive resolver is a bad idea.
> Instead, I suggest a new "SUGGESTION" RR type that could be returned
> in the additional section of an error message. For example, if
> you ask for www.example.invalid, you could get back an NXDOMAIN
> error, wi
* Paul Hoffman:
> Paul: that's over the top. Some of the services defined in the draft
> are highly desired by some Internet users.
Which ones?
Currently, when a user enters "mcrsoft" in the address bar, many
browsers will automatically send her to the Microsoft homepage. With
spoofed answers,
On Thu, 16 Jul 2009, Mark Andrews wrote:
The problem is not resolving portal.isp.com. The problem is that
mail.xelerance.com "resolves" to portal.isp.com, but never makes
it because my validating stub resolver has a DNSSEC key loaded
for xelerance.com. A problem that in the future will become wo
Stephane Bortzmeyer wrote:
> I regret one thing with SSAC 032: they mix wildcards in the zone and
> lying resolvers. True, they have similarities but also differences
> (for instance, wildcards in a zone follow the DNS protocol, and
> therefore are compatible with DNSSEC) and I'm a bit tired of Sla
At 9:22 AM +0200 7/16/09, Stephane Bortzmeyer wrote:
>On Mon, Jul 13, 2009 at 12:01:51PM -0700,
> Paul Hoffman wrote
> a message of 17 lines which said:
>
>> Some of the services defined in the draft are highly desired by some
>> Internet users.
>
>I did not hear them so this sort of users is obvi
[As before, my hat is off. Especially to Roy Arends and Tony Finch.]
On Wed, Jul 15, 2009 at 07:46:17PM +0100, Tony Finch wrote:
> A better way for ISPs to address that problem […]
I am not trying to argue that the proposed solution is right; I am
just pointing out that there is in fact a probl
On 7/16/09 3:22 AM, "Stephane Bortzmeyer" wrote:
>
>> > I did not hear them so this sort of users is obviously not in the
>> > dnsop WG :-) More seriously, noone mentioned here any survey about
>> > this. So, we can just guess and speculate.
>
> You can probably safely assume that any large I
>> > I'll speak for my parents here: a DNS resolver that reduces the chance that
>> they'll get a drive-by malware
>> > infection is something they would happily use. Having said that, a DNS
>> resolver that gives them a page of
>> > search results instead of the browser's error page when they mist
Folks,
I'd like to see descriptions of the major isp-initiated intercepts:
o cn's provisioning of a name space that includes two entries not
present in the iana root (ok, this may be less of a dynamic re-write
feature),
o idns's provisioning of name spaces with "idns",
o other actors provisio
On Thu, Jul 16, 2009 at 08:07:50AM -0400,
Livingood, Jason wrote
a message of 76 lines which said:
> FWIW, I think most ISPs that introduce such services see around a
> 0.1% opt-out rate.
What does it prove? Most ISP that introduces lying resolvers as an
opt-in service see a 0.1 % opt-out rat
>> SSAC's Report on DNS Response Modification
>> http://www.icann.org/en/committees/security/sac032.pdf
>
> Indeed. Good document. There is no need to discuss about
> draft-livingood-dns-lie,
Is that really necessary?
> all the issues raised here in this WG were
> already in the SSAC document
> TLDs, including your own zones. This is indeed not just Site Finder
> all over again - it's far worse, and breaks far more applications than
> Site Finder did.
Please do send me that list of applications. I would very much like to
describe these use cases in the next version of the draft.
Tha
>> FWIW, I think most ISPs that introduce such services see around a
>> 0.1% opt-out rate.
>
> What does it prove? Most ISP that introduces lying resolvers as an
> opt-in service see a 0.1 % opt-out rate, too. It proves only that most
> users do not dare to change the settings or are not informed
On Thu, 16 Jul 2009, Florian Weimer wrote:
>
> (But I agree that a clean solution requires protocol development.)
No, it just requires browser user interface improvements.
Tony.
--
f.anthony.n.finchhttp://dotat.at/
GERMAN BIGHT HUMBER: SOUTHWEST 5 TO 7. MODERATE OR ROUGH. SQUALLY SHOWERS.
MO
* Tony Finch:
> On Thu, 16 Jul 2009, Florian Weimer wrote:
>>
>> (But I agree that a clean solution requires protocol development.)
>
> No, it just requires browser user interface improvements.
If you want to address the issue with hotspot doorway pages, you need
protocol changes.
___
Livingood, Jason wrote:
>> TLDs, including your own zones. This is indeed not just Site Finder
>> all over again - it's far worse, and breaks far more applications than
>> Site Finder did.
>
> Please do send me that list of applications. I would very much like to
> describe these use cases in th
* Jason Livingood:
> Actual consumer behavior doesn¹t really seem to work that
> way, but I¹m not a behavioral psychologist. ;-) FWIW, I think most
> ISPs that introduce such services see around a 0.1% opt-out rate.
I would expect a higher rate of Dnschange/Zlob infections at a typical
On Thu, 16 Jul 2009, Florian Weimer wrote:
>
> If you want to address the issue with hotspot doorway pages, you need
> protocol changes.
Better to use an intercepting proxy in that case, and for quarantining
infected hosts.
Protocol changes aren't sufficient because if you just extend DNS
without
On Jul 16, 2009, at 5:43 AM, Jeroen Massar wrote:
Livingood, Jason wrote:
Please do send me that list of applications. I would very much
like to
describe these use cases in the next version of the draft.
Please list "The Internet" as one of them, it kinda encompasses a
lot of
others too.
On Wed, Jul 15, 2009 at 09:16:06PM +0200, Roy Arends wrote:
> If you want a real analogy, think alternative roots. From the users
> perspective, that is what is happening here: an alternative namespace
> is created. Would we have a discussion at all if this perspective was
> used?
Yes, we wo
On Thu, 16 Jul 2009, David Conrad wrote:
I am *VERY* happy that DNSSEC is moving along perfectly fine
which will kill any kind of changing DNS results.
DNSSEC doesn't touch anything after the validator. It will have no effect on
the vast majority of Comcast (or other consumer oriented) ISPs'
* Tony Finch:
> On Thu, 16 Jul 2009, Florian Weimer wrote:
>>
>> If you want to address the issue with hotspot doorway pages, you need
>> protocol changes.
>
> Better to use an intercepting proxy in that case, and for quarantining
> infected hosts.
Doesn't work if the user uses the employer's fil
David Conrad wrote:
> On Jul 16, 2009, at 5:43 AM, Jeroen Massar wrote:
>> Livingood, Jason wrote:
>>> Please do send me that list of applications. I would very much like to
>>> describe these use cases in the next version of the draft.
>>
>> Please list "The Internet" as one of them, it kinda enc
On Thu, 16 Jul 2009, Florian Weimer wrote:
> * Tony Finch:
> > On Thu, 16 Jul 2009, Florian Weimer wrote:
> >>
> >> If you want to address the issue with hotspot doorway pages, you need
> >> protocol changes.
> >
> > Better to use an intercepting proxy in that case, and for quarantining
> > infecte
On Jul 16, 2009, at 11:43 AM, Jeroen Massar wrote:
Please. Enough hyperbole.
Unless you state that "The Internet" is only "The Web", there are
other
users of "The Internet" though. Don't try and limit what other people
can do with this public resource.
Could we ratchet down the rhetoric?
D
On Jul 16, 2009, at 10:27 AM, Paul Wouters wrote:
DNSSEC doesn't touch anything after the validator. It will have no
effect on the vast majority of Comcast (or other consumer oriented)
ISPs' customers.
Fedora 12 is slated to run with a validator on every machine.
This is the right directio
On 16 Jul 2009, at 20:58, David Conrad wrote:
Except for most users, accepting none means "the Internet is broken"
which will result in ISP or OS vendor support calls which will
undoubtedly result in users being instructed to turn off validation
(like they get told to turn off IPv6 today).
Jim,
On Jul 16, 2009, at 1:30 PM, Jim Reid wrote:
On 16 Jul 2009, at 20:58, David Conrad wrote:
Except for most users, accepting none means "the Internet is
broken" which will result in ISP or OS vendor support calls which
will undoubtedly result in users being instructed to turn off
valid
In message <20090716110830.ga7...@shinkuro.com>, Andrew Sullivan writes:
> Well, I'd discuss it, anyway. I know that if someone came with a
> document outlining the best way to do split-brain DNS -- which is
> widely deployed and an alternative namespace if ever I've seen one --
> and especially
31 matches
Mail list logo
