Re: [DNSOP] DNSng-ish (was Re: key lengths for DNSSEC)
On Wed, Apr 2, 2014 at 11:24 PM, Phillip Hallam-Baker hal...@gmail.comwrote: On Wed, Apr 2, 2014 at 10:48 PM, Andrew Sullivan a...@anvilwalrusden.comwrote: On Wed, Apr 02, 2014 at 09:07:07PM -0400, Phillip Hallam-Baker wrote: 1) Client - Resolver Changing 1 is the easiest and also the part that is most in need. From where I sit, that project appears to reduce to roughly upgrade all the computers on Earth. It may be that we do not have a common meaning of easiest. Perhaps you could say more. Nope, just the gateway devices and the main DNS servers. Legacy DNS over raw UDP will be around for decades to come. But DNS over a privacy protected transport is quite viable. The privacy issues are most acute at the network gateway device, the firewall or the WiFi router. Privacy protection plus anti-censorship protection is in big demand right now. Since we have essentially zero DNSSEC stub clients in operation and 100% of those that are in use are being deployed by aggressive early adopters, deployment in the stub client - recursive loop is actually quite easy. What we can't do is to break legacy DNS without DNSSEC. That is the deployment scenario that is beyond redemption. -- Website: http://hallambaker.com/ ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
[DNSOP] DNSng-ish (was Re: key lengths for DNSSEC)
On Wed, Apr 02, 2014 at 07:21:11PM -0400, Phillip Hallam-Baker wrote: Which is why I have been pushing the notion that if we are going to do DNSE then part of the DNSE solution should be to get us out of the single response packet straightjacket. I've seen what you've had to say on that, and what I just don't understand yet is how that answer is deployable. That is, how is what you are suggesting there (and in your other discussions of this topic) not replace DNS? Or, if it is, why don't we just do a new protocol completely? We could fix the internationalization issues. We could ditch UDP and in a single blow eliminate a major source of DDoS on the Internet. And so on. The only problem is getting everyone to upgrade. No? A -- Andrew Sullivan a...@anvilwalrusden.com ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
Re: [DNSOP] DNSng-ish (was Re: key lengths for DNSSEC)
On Wed, Apr 02, 2014 at 09:07:07PM -0400, Phillip Hallam-Baker wrote: 1) Client - Resolver Changing 1 is the easiest and also the part that is most in need. From where I sit, that project appears to reduce to roughly upgrade all the computers on Earth. It may be that we do not have a common meaning of easiest. Perhaps you could say more. Best regards, A -- Andrew Sullivan a...@anvilwalrusden.com ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
Re: [DNSOP] DNSng-ish (was Re: key lengths for DNSSEC)
On Wed, Apr 2, 2014 at 10:48 PM, Andrew Sullivan a...@anvilwalrusden.comwrote: On Wed, Apr 02, 2014 at 09:07:07PM -0400, Phillip Hallam-Baker wrote: 1) Client - Resolver Changing 1 is the easiest and also the part that is most in need. From where I sit, that project appears to reduce to roughly upgrade all the computers on Earth. It may be that we do not have a common meaning of easiest. Perhaps you could say more. Nope, just the gateway devices and the main DNS servers. Legacy DNS over raw UDP will be around for decades to come. But DNS over a privacy protected transport is quite viable. The privacy issues are most acute at the network gateway device, the firewall or the WiFi router. Privacy protection plus anti-censorship protection is in big demand right now. -- Website: http://hallambaker.com/ ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop