On Tue, Jun 19, 2018 at 5:04 PM Tony Finch <d...@dotat.at> wrote: > Ondřej Surý <ond...@isc.org> wrote: > > > > Do people think the SIG(0) is something that we should keep in DNS and > > it will be used in the future or it is a good candidate for throwing off > > the boat? > > SIG(0) is the only DNS feature that (could) allow unauthenticated client > access to an authenticated server, which would allow > > * secure inteerface to resolver (maybe with SIG(0) + TKEY -> TSIG, > but now probably better to use TLS or DoH) > > * secure stealth secondaries (maybe TLS support would be better) > <no hats>
... what I'd alway wanted[0] was to be able to setup my own recursive name server somewhere on the Internet, and then only allow myself (and a few of my closest friends) to be able to query it. 1: Obviously having it as an open-recursive is not the answer (e.g it would show up in Jared's list within a few days :-)) 2: Everyone travels, and so adding and removing myself (and a few of my closest friends) from ACLs won't realistically work 3: The obvious "just use a VPN" / SSH tunnels / etc is simply annoying. SIG(0) seemed like the perfect solution -- toss something in resolv.conf next to the nameserver, and <handwave> magic happens. Unfortunately, this doesn't actually, you know, exist... (and much of it can now be solved with DNS-over-TLS, but still...) So, SIG(0) could be many nice things, but without more implementations is is hobbled... W [0]: Ok, I haven't *always* wanted this, only for the past ~18 years... > > Tony. > -- > f.anthony.n.finch <d...@dotat.at> http://dotat.at/ > an equitable and peaceful international > order_______________________________________________ > DNSOP mailing list > DNSOP@ietf.org > https://www.ietf.org/mailman/listinfo/dnsop > -- I don't think the execution is relevant when it was obviously a bad idea in the first place. This is like putting rabid weasels in your pants, and later expressing regret at having chosen those particular rabid weasels and that pair of pants. ---maf
_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop