David Conrad wrote:
> NAT does not need to be modified. As I type this, I am behind a
> commercial (relatively low end -- an Apple Airport Extreme basestation)
> NAT with firewalling enabled. It works just fine.
So what? NAT at airport must be, unlike NATs in enterprises,
consumer friendly. Unlike highe end NAT, low end NAT won't
bother to interfere DNS.
Cloud you please provide us, not your personal experience, but
an *EXHAUSTIVE*, or, at least exhaustive on high end, list on
varieties of NAT functionalities?
>> Then, the increased load is a very good reason for root servers not
>> support DNSSEC.
> The root server operators have demonstrated that they are quite capable
> of ramping capacity to meet demand (actually, the root servers are
> wildly over provisioned to try to deal with DDoS attacks so I doubt the
> increase in load caused by what I'm suggesting would even be an issue).
Increase on the nameservers directly interacting authoritative
nameservers increases not only legitimate queries but also DDOS
queries.
> Alternatively, we could move to a more distributed model of DNS
> operations in which the caching servers that are doing DNSSEC cache the
> entire root zone, perhaps zone transferring the signed root zone from
> some authoritative and trusted place.
Are you seriously saying that you actively want to have intermediate
caching servers between your laptop and authoritative servers?
Then, as I mentioned, the caching server are so easy victims of DOS.
Anyway, your approach is meaningless against "com.".
> Another reason could be that a really tremendous amount of crap is
> being generated by servers that are so old that they don't notice a
> root server address change.
Thank you for providing yet another evidence that DNSSEC won't be
deployed so much.
>> Abandon DNSSEC and accept the reality that, even with DNSSEC,
>> management of DNS is not very secure.
> Ah. The "Math is hard. Let's go shopping." alternative. Not sure
> this is particularly helpful.
Remember that I was the only person who understood the math of
both DNS and PKI, when DENSEC was initially discussed.
Yes, "Math is hard" for you.
As the person who still understand the math of both, I can
authoritatively declare that DNSSEC is fundamentally broken,
which you could have argue against 10 years ago but not now.
Masataka Ohta
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
