On Jul 16, 2009, at 11:43 AM, Jeroen Massar wrote:
Please. Enough hyperbole.
Unless you state that "The Internet" is only "The Web", there are
other
users of "The Internet" though. Don't try and limit what other people
can do with this public resource.
Could we ratchet down the rhetoric?
DNS redirection does not break the Internet. DNS redirection can
result in unanticipated responses. Some applications can behave in
sub-optimal ways in the face of these unanticipated responses. This
is a far cry from breaking "the Internet".
As far as I can tell, Comcast's network and their recursive servers
are not a "public resource". As folks on Comcast's network are not
forced to be Comcast's customer nor (as far as I know) are they
required to use Comcast's name servers, I don't see where you, this
working group, or the IETF has a right to determine what Comcast does.
The point Andrew tried to make is that the lesson we (should have)
learned with NAT is that folks are going to deploy technologies that
some may consider ill-advised or impure or "evil" or whatever if they
find it to be in their interests to do so, regardless of what this
working group or the IETF may say. In order to limit the
proliferation of 'solutions', it is in the best interests of operators
to standardize on an agreed upon approach and document the
implications of that approach (both positive and negative) to ensure
everyone understands what they're doing. Blocking these efforts
resulting in various broken ways of doing the same thing are far more
detrimental to the Internet than the existence of the standardized
solution.
DNSSEC doesn't touch anything after the validator. It will have no
effect on the vast majority of Comcast (or other consumer oriented)
ISPs' customers.
"The vast majority" aha, so discrimination of the people who do want
to
actually have real truthful Internet is acceptable????
Might I suggest switching to decaffeinated?
My statement is merely the truth. The vast majority of consumer
oriented ISPs supply the DNS resolver settings to their customers. As
such, validation would occur prior to the insertion of redirected
responses. The exceptionally few applications that try to do
validation on their own are so far in the noise as to be irrelevant.
As a user of the Internet I *am* running a validating DNSSEC
recursor on
my hosts. Thanks to ISC for the DLV :)
I am fairly sure that a lot of other people will also want to do this.
A little perspective please. I'm fairly sure that you and everyone
else who runs a validating DNSSEC recursor on their host are an
infinitesimal minority of Internet users.
More to the point, DNS redirection does not imply running your own
recursor is disallowed. Yes, it can be implemented in such a way as
break running your own recursor, but if this occurs, the right answer
is to vote with your feet.
Regards,
-drc
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
