On Mon, Jul 13, 2009 at 01:59:46PM +0200,
Roy Arends r...@dnss.ec wrote
a message of 33 lines which said:
SSAC's Report on DNS Response Modification
http://www.icann.org/en/committees/security/sac032.pdf
Indeed. Good document. There is no need to discuss about
draft-livingood-dns-lie, all
On Mon, Jul 13, 2009 at 12:01:51PM -0700,
Paul Hoffman paul.hoff...@vpnc.org wrote
a message of 17 lines which said:
Some of the services defined in the draft are highly desired by some
Internet users.
I did not hear them so this sort of users is obviously not in the
dnsop WG :-) More
* Alan Barrett:
I think that this sort of lying recursive resolver is a bad idea.
Instead, I suggest a new SUGGESTION RR type that could be returned
in the additional section of an error message. For example, if
you ask for www.example.invalid, you could get back an NXDOMAIN
error, with
* Paul Hoffman:
Paul: that's over the top. Some of the services defined in the draft
are highly desired by some Internet users.
Which ones?
Currently, when a user enters mcrsoft in the address bar, many
browsers will automatically send her to the Microsoft homepage. With
spoofed answers, he
On Thu, 16 Jul 2009, Mark Andrews wrote:
The problem is not resolving portal.isp.com. The problem is that
mail.xelerance.com resolves to portal.isp.com, but never makes
it because my validating stub resolver has a DNSSEC key loaded
for xelerance.com. A problem that in the future will become
Stephane Bortzmeyer wrote:
I regret one thing with SSAC 032: they mix wildcards in the zone and
lying resolvers. True, they have similarities but also differences
(for instance, wildcards in a zone follow the DNS protocol, and
therefore are compatible with DNSSEC) and I'm a bit tired of
At 9:22 AM +0200 7/16/09, Stephane Bortzmeyer wrote:
On Mon, Jul 13, 2009 at 12:01:51PM -0700,
Paul Hoffman paul.hoff...@vpnc.org wrote
a message of 17 lines which said:
Some of the services defined in the draft are highly desired by some
Internet users.
I did not hear them so this sort of
I'll speak for my parents here: a DNS resolver that reduces the chance that
they'll get a drive-by malware
infection is something they would happily use. Having said that, a DNS
resolver that gives them a page of
search results instead of the browser's error page when they mistype a URL
On Thu, Jul 16, 2009 at 08:07:50AM -0400,
Livingood, Jason jason_living...@cable.comcast.com wrote
a message of 76 lines which said:
FWIW, I think most ISPs that introduce such services see around a
0.1% opt-out rate.
What does it prove? Most ISP that introduces lying resolvers as an
opt-in
SSAC's Report on DNS Response Modification
http://www.icann.org/en/committees/security/sac032.pdf
Indeed. Good document. There is no need to discuss about
draft-livingood-dns-lie,
Is that really necessary?
all the issues raised here in this WG were
already in the SSAC document one year
TLDs, including your own zones. This is indeed not just Site Finder
all over again - it's far worse, and breaks far more applications than
Site Finder did.
Please do send me that list of applications. I would very much like to
describe these use cases in the next version of the draft.
FWIW, I think most ISPs that introduce such services see around a
0.1% opt-out rate.
What does it prove? Most ISP that introduces lying resolvers as an
opt-in service see a 0.1 % opt-out rate, too. It proves only that most
users do not dare to change the settings or are not informed or have
On Thu, 16 Jul 2009, Florian Weimer wrote:
(But I agree that a clean solution requires protocol development.)
No, it just requires browser user interface improvements.
Tony.
--
f.anthony.n.finch d...@dotat.at http://dotat.at/
GERMAN BIGHT HUMBER: SOUTHWEST 5 TO 7. MODERATE OR ROUGH. SQUALLY
* Tony Finch:
On Thu, 16 Jul 2009, Florian Weimer wrote:
(But I agree that a clean solution requires protocol development.)
No, it just requires browser user interface improvements.
If you want to address the issue with hotspot doorway pages, you need
protocol changes.
Livingood, Jason wrote:
TLDs, including your own zones. This is indeed not just Site Finder
all over again - it's far worse, and breaks far more applications than
Site Finder did.
Please do send me that list of applications. I would very much like to
describe these use cases in the next
* Jason Livingood:
Actual consumer behavior doesn¹t really seem to work that
way, but I¹m not a behavioral psychologist. ;-) FWIW, I think most
ISPs that introduce such services see around a 0.1% opt-out rate.
I would expect a higher rate of Dnschange/Zlob infections at a typical
On Thu, 16 Jul 2009, Florian Weimer wrote:
If you want to address the issue with hotspot doorway pages, you need
protocol changes.
Better to use an intercepting proxy in that case, and for quarantining
infected hosts.
Protocol changes aren't sufficient because if you just extend DNS
without
On Jul 16, 2009, at 5:43 AM, Jeroen Massar wrote:
Livingood, Jason wrote:
Please do send me that list of applications. I would very much
like to
describe these use cases in the next version of the draft.
Please list The Internet as one of them, it kinda encompasses a
lot of
others too.
On Wed, Jul 15, 2009 at 09:16:06PM +0200, Roy Arends wrote:
If you want a real analogy, think alternative roots. From the users
perspective, that is what is happening here: an alternative namespace
is created. Would we have a discussion at all if this perspective was
used?
Yes, we
On Thu, 16 Jul 2009, David Conrad wrote:
I am *VERY* happy that DNSSEC is moving along perfectly fine
which will kill any kind of changing DNS results.
DNSSEC doesn't touch anything after the validator. It will have no effect on
the vast majority of Comcast (or other consumer oriented)
* Tony Finch:
On Thu, 16 Jul 2009, Florian Weimer wrote:
If you want to address the issue with hotspot doorway pages, you need
protocol changes.
Better to use an intercepting proxy in that case, and for quarantining
infected hosts.
Doesn't work if the user uses the employer's filtering
David Conrad wrote:
On Jul 16, 2009, at 5:43 AM, Jeroen Massar wrote:
Livingood, Jason wrote:
Please do send me that list of applications. I would very much like to
describe these use cases in the next version of the draft.
Please list The Internet as one of them, it kinda encompasses a lot
On Thu, 16 Jul 2009, Florian Weimer wrote:
* Tony Finch:
On Thu, 16 Jul 2009, Florian Weimer wrote:
If you want to address the issue with hotspot doorway pages, you need
protocol changes.
Better to use an intercepting proxy in that case, and for quarantining
infected hosts.
On Jul 16, 2009, at 11:43 AM, Jeroen Massar wrote:
Please. Enough hyperbole.
Unless you state that The Internet is only The Web, there are
other
users of The Internet though. Don't try and limit what other people
can do with this public resource.
Could we ratchet down the rhetoric?
DNS
On Jul 16, 2009, at 10:27 AM, Paul Wouters wrote:
DNSSEC doesn't touch anything after the validator. It will have no
effect on the vast majority of Comcast (or other consumer oriented)
ISPs' customers.
Fedora 12 is slated to run with a validator on every machine.
This is the right
On 16 Jul 2009, at 20:58, David Conrad wrote:
Except for most users, accepting none means the Internet is broken
which will result in ISP or OS vendor support calls which will
undoubtedly result in users being instructed to turn off validation
(like they get told to turn off IPv6 today).
Jim,
On Jul 16, 2009, at 1:30 PM, Jim Reid wrote:
On 16 Jul 2009, at 20:58, David Conrad wrote:
Except for most users, accepting none means the Internet is
broken which will result in ISP or OS vendor support calls which
will undoubtedly result in users being instructed to turn off
In message 20090716110830.ga7...@shinkuro.com, Andrew Sullivan writes:
Well, I'd discuss it, anyway. I know that if someone came with a
document outlining the best way to do split-brain DNS -- which is
widely deployed and an alternative namespace if ever I've seen one --
and especially how
28 matches
Mail list logo