Jim,
On Jul 16, 2009, at 1:30 PM, Jim Reid wrote:
On 16 Jul 2009, at 20:58, David Conrad wrote:
Except for most users, accepting none means "the Internet is
broken" which will result in ISP or OS vendor support calls which
will undoubtedly result in users being instructed to turn off
validation (like they get told to turn off IPv6 today).
OTOH, one might hope that if customer support got flooded with such
calls the message that Tampering With DNS Responses Is A Very Bad
Thing would eventually get through to those responsible for that
behaviour and they'd take action to stop doing that. I can dream,
can't I?
Sure, but I was talking about was doing DNSSEC in a local resolver in
the general case, not DNS redirection.
BTW, almost all of the scenarios in Section 5 of draft-livingood-dns-
redirect-00 are concerned with browser activity and HTTP
redirection. So it seems to be wrong to (ab)use the DNS to solve
what looks like a web problem. That appears to be a layering
violation.
Sure. I would agree with those who argue that DNS redirection is the
wrong answer, pretty much regardless of what the question is. However,
I'd prefer to have _one_ wrong answer instead of a myriad slightly
different wrong answers. If you have a single wrong answer, you have
a much better chance of being able to programmatically get around it.
Regards,
-drc
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
