At 02:00 AM 11/19/2001 -0600, Eric A. Hall wrote: >Dave Crocker wrote: > > That means the DNS client and the DNS Administration interfaces that > > creates DNS entries. No other part of the system needs to change. > >Under the current spec, hostile redirects are trivially easy.
In what way does the translation/encapsulation approach of an ACE alter the current fundamentals of DNS security. It is odd that your assessment of the security risk is not shared by others who have worked with the DNS for a long time. In particular, how does the proposal ADD the security risk you describe? (By the way, there are a number of other questions still awaiting your answer from an earlier message of today. Please do find the time to respond to them.) >You have made it clear that you despise basic science Actually I mostly despise ad hominems during a technical exchange, though it is easy to appreciate the temptation. >but it should be equally clear that it is far too early to be annointing >anything the winner in this process Perhaps you have experience with other standards work that drags on for many years, but is still successful. Alas, that is not the track record in the IETF (or ISO or ITU). No doubt it would be fascinating to hear recitation of such successes. Some other time, however. This topic has been hashed, re-hashed, and otherwise made a hash of, by these sorts of exchanges. After two years, detailed specifications are in short supply. In fact, there is only one with enough detail to consider completing soon. It is thorough, has minimal operational impact, satisfies the functional requirements, and has substantial consensus. And, by the way, it is entirely acceptable that you disagree. That's why we call IETF consensus "rough". (The word also covers that ad hominems.) d/ ---------- Dave Crocker <mailto:[EMAIL PROTECTED]> Brandenburg InternetWorking <http://www.brandenburg.com> tel +1.408.246.8253; fax +1.408.273.6464
