On 8/28/14 10:55 AM, Timothe Litt wrote:
Aside from the use of the word 'absurdity', I'm not offended. I am trying to educate. And while I recognize that I'm arguing pragmatism with a market purist,
It's nice to be called "pure," in some context anyway. :) However as I pointed out I'm not simply arguing market forces, I'm also arguing the morality of rewarding those providers who do the right thing; and I'm quite specifically arguing the anti-pragmatist perspective that voting with your feet is important.
Chris, I purposely did not invoke the spectre of Jim Reid because I did not agree with his violent opposition to the DLV when it was created. But now that we're in the "signed root" phase of DNSSEC deployment I think that argument has a lot more validity.
hopefully the OP (and others) will learn why some of us have a slightly different view of how to get to the end goal.
I agree that illuminating the different points of view is valuable, and I am happy to agree to disagree with you (and Chris Thompson) on this topic.
And why my advice for resolvers is 'check DLV', while my advice for domain owners is 'take reasonable steps to stay/get out of DLV, but use it if you *must*'. We're actually not that far apart...
... I'm sorry to say that we are still quite far apart on specifics though. You continue to use the word "impossible" when what you mean is "outside of the constraints I have created for myself." I was trying not to devolve into a discussion of your specific situation, but one really simple solution to your particular use case would be to move your stuff to a colo facility where they provide proper reverse DNS, signed delegations, etc. There are a world of other options, but you have designated a set of parameters within which you wish to operate, and a provider that does DNSSEC is outside of your parameters. That doesn't make it "impossible," that makes it "something you're not willing to do."
Chris' message was an excellent example of his particular value of "really, really hard," but even he points out that it's not the same as "impossible." His organization has done the cost/benefit analysis and determined that having a DNSSEC chain from the root for their reverse delegations is not worth the cost of moving away from JANET. I don't know the politics anywhere near as well as Chris does, but I know them well enough to know that his organization is probably correct in their analysis. In any case, their network, their rules. I have no problem with that.
And I want to reiterate one last time that I'm NOT saying that no one should use the DLV, or that no one should put new entries into it. If you or Chris have people that need to validate your reverse DNS, they should be given the information they need about using the DLV to do that. What I AM saying is that people should not be routinely advised to use the DLV, and that resolver operators should only use it if they have a good reason to.
And with that, I'll let others chime in, as I don't think I'm saying anything new here. :)
Doug _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
