On Aug 19, 2008, at 6:40 AM, Masataka Ohta wrote:
So what? NAT at airport must be, unlike NATs in enterprises,
consumer friendly. Unlike highe end NAT, low end NAT won't
bother to interfere DNS.
Right. Because low-end consumer gear is always so much better
implemented than enterprise gear.
Cloud you please provide us, not your personal experience, but
an *EXHAUSTIVE*, or, at least exhaustive on high end, list on
varieties of NAT functionalities?
I'll get right on that.
Actually, on second thought, you seem to be the one asserting
fundamentally broken behavior on the part of high end gear. Shouldn't
it be you that provides the data to back up your assertions?
Increase on the nameservers directly interacting authoritative
nameservers increases not only legitimate queries but also DDOS
queries.
You seem to be asserting that DDOS queries come from the same source
as legitimate queries. Can I see your data that backs up this
statement?
Alternatively, we could move to a more distributed model of DNS
operations in which the caching servers that are doing DNSSEC
cache the
entire root zone, perhaps zone transferring the signed root zone
from
some authoritative and trusted place.
Are you seriously saying that you actively want to have intermediate
caching servers between your laptop and authoritative servers?
No. I'm suggesting that if the root zone is signed, the root zone data
can be obtained from places other than the root servers without
concerns about data corruption and installed in caching servers
(something quite a few folks already do, ignoring the risk of
corrupted data). This data can then be distributed out to the edge.
This should address any concerns anyone might have with overloading
the root servers.
Anyway, your approach is meaningless against "com.".
Due to the thrash in the COM zone, yes. Fortunately, I didn't suggest
applying the distributed model to COM.
As the person who still understand the math of both, I can
authoritatively declare that DNSSEC is fundamentally broken,
Well, I guess that settles it then. You don't have to turn on DNSSEC.
which you could have argue against 10 years ago but not now.
It's such a shame that computer processing technology for doing stuff
like cryptography hasn't advanced in 10 years.
Regards,
-drc
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop