[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: DNSEXT future

To: namedroppers@ops.ietf.org
Subject: Re: DNSEXT future
From: Paul Vixie <paul@vix.com>
Date: Tue, 27 Mar 2007 15:24:06 +0000
In-reply-to: Your message of "Mon, 26 Mar 2007 22:14:25 -0400." <E1HW1Ch-0005ZT-Kd@psg.com>
References: <200703270035.l2R0ZNKK072363@ogud.com> <E1HW1Ch-0005ZT-Kd@psg.com>

there are three replies here, two about DLV, one about this mailing list.

> From: Michael StJohns <mstjohns@comcast.net>
> 
> With respect to Paul Vixie's note - I assume he meant passing the DLV
> document to Informational rather than as a standard?  ...

no.  roy arends told me a dlv the other day that would scale.  steve crocker
asked his dnssec-deployment committee the other day whether dnssec was
deployable without "something like dlv" and the consensus was "no."  (steve
went further than i, saying that "something like dlv" would ALWAYS be needed,
not just as an early deployment aid.)  taking those two facts together means
that we need to put roy's dlv on the standards track, and for that we need a
WG.

given that this WG has created an undeployable secure-dns protocol, it seems
that disbanding would be a good way to signal our disgrace, but would not
serve any constructive purpose.  literally speaking, we're just not finished.

> From: Roy Arends <roy@nominet.org.uk>
> 
> vixie> i'd like to see roy's version of DLV standardized
> vixie> before we quit, that's all.
> 
> Me too. (well, ofcourse I would, wouldn't I). Jakob and I are writing this 
> up in a draft that will soon hit the list.

and there was great rejoicing.  i disagreed with steve, i thought secure dns
only needs "something like dlv" during early deployment.  but based on david
conrad's estimate of the costs and risks involved in holding the KSK, and the
unlikelihood of ICANN being able to assume those costs or willing to assume
those risks, i now agree with steve, "something like dlv" will *always* be
needed.

given that roy's proposed hack to dlv would allow each domain to choose its
own dlv registry, the scaling limit of "one single dlv registry" will be gone,
and with some care around both off-the-wire aggressive-negative-caching and
negative caching in general, dlv as part of the basic secure dns architecture
is not only necessary, but realistic and practical.

> From: bert hubert <bert.hubert@netherlabs.nl>
> 
> kerr> For the record, I like the idea of a hibernating group of DNS
> kerr> experts to *help* people with their DNS ideas and drafts.
> 
> For me that is a very important point - 'namedroppers' serves as a central
> gathering of DNS experts and knowledge.
> 
> Whatever happens to DNSEXT, I still need such a central place where people
> know how things *should* work. As opposed to DNSOP which is a gathering of
> people who know how things *do* work :-)

the namedroppers@ mailing list predates this WG, and predates the old DNSIND
working group, and may predate IETF, having been part of NWG.  there is no
authority now living who can close this list, only choose whether to stop
hosting it, and i do not expect "ops.ietf.org" to stop hosting this list.

on the other hand, dns-operations@lists.oarci.net has been a success, more so
than the various other (closed, invitation only) lists hosted by OARC.  keith
would certainly create dns-protocol@lists.oarci.net if someone asked him to.

--
to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/namedroppers/>

Follow-Ups:
- Re: DNSEXT future
  - From: Dean Anderson <dean@av8.com>

References:
- DNSEXT future
  - From: Ólafur Guðmundsson /DNSEXT co-chair <ogud@ogud.com>
- Re: DNSEXT future
  - From: Michael StJohns <mstjohns@comcast.net>

Prev by Date: Re: DNSEXT future
Next by Date: RE: weiler-dnssec-dlv-02
Previous by thread: Re: DNSEXT future
Next by thread: Re: DNSEXT future
Index(es):
- Date
- Thread