A New Internet-Draft is available from the on-line Internet-Drafts directories.
This draft is a work item of the Domain Name System Operations Working Group of
the IETF.
Title : DNSSEC Operational Practices, Version 2
Author(s) : Olaf M. Kolkman
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
FYI: This version adopts the review items from Alfred and Marc.
Best regards,
Matthijs
On 04/13/2012 09:11 AM, internet-dra...@ietf.org wrote:
A New Internet-Draft is available from the on-line Internet-Drafts
directories. This draft is a work
Hello,
Joe Abley wrote:
I think that we need a better mechanism to avoid lame delegations to the
AS112 servers, given their loosely-coordinated nature.
I like the idea that came up in Québec (which I shall attribute to
Warren Kumari since I've seen other people do that, although I was not
in
Mark Andrews, Thursday, April 12, 2012 11:43 PM:
-Original Message-
From: Mark Andrews [mailto:ma...@isc.org]
Sent: Thursday, April 12, 2012 11:43 PM
To: Stephan Lagerholm
Cc: Ralf Weber; Marc Lampo; Nicholas Weaver; dnsop@ietf.org;
Livingood,
Jason
Subject: Re: [DNSOP] on Negative
Stephan,
An interesting approach :
if a parent removes DS information for a child, if it finds the child
to be in error,
then, can an attacker make the check fail (in order to get the DS
removed) ?
At least one thing :
Unlike the Dan Kaminsky flavour of cache poisoning attach,
there is no way
Responding to a message at random ...
I skimmed the draft, and with respect to the authors this is a terrible
idea.
DNSSEC is pointless if it's not used as designed. Providing an easy way
to bypass validation makes many things worse instead of better ... not
the least of which is that if an
Doug Barton do...@dougbarton.us wrote:
Furthermore, the mechanism is not necessary, since if you somehow had
knowledge that it was safe to use the data even if it doesn't validate
you can temporarily set up a forward zone that points to a
non-validating resolver.
AFAIK that doesn't work in
the information economics of this draft are all wrong. with all possible
respect for the comcast team who is actually validating signatures for
18 million subscribers and is therefore way ahead of the rest of the
industry and is encountering the problems of pioneers... this is not
supposed to be
On Fri, Apr 13, 2012 at 05:43:42PM +, Paul Vixie wrote:
i'm opposed to negative trust anchors, both for their security
implications if there were secure applications in existence, and for
their information economics implications.
+1
--
Evan Hunt -- e...@isc.org
Internet Systems
On 13 apr 2012, at 22:09, Evan Hunt wrote:
On Fri, Apr 13, 2012 at 05:43:42PM +, Paul Vixie wrote:
i'm opposed to negative trust anchors, both for their security
implications if there were secure applications in existence, and for
their information economics implications.
+1
+1
On Apr 13, 2012, at 1:24 PM, Patrik Fältström wrote:
On 13 apr 2012, at 22:09, Evan Hunt wrote:
On Fri, Apr 13, 2012 at 05:43:42PM +, Paul Vixie wrote:
i'm opposed to negative trust anchors, both for their security
implications if there were secure applications in existence, and for
On 13 apr 2012, at 22:24, Patrik Fältström wrote:
+1
In a private chat I am asked to explain my +1.
Let me explain why.
Today, before negative trust anchors, the responsibility for whether a the
resolution that is basis for a connection establishment is with the zone owner.
If the signature
On 13 apr 2012, at 22:44, Nicholas Weaver wrote:
Because practice has shown that it is the recursive resolver, not the
authority, that gets blamed.
As you saw in my mail, I completely disagree from my own personal experience.
If I look at the number of failures, the number of cases where
...
More pragmatically, while I understand the theory behind rejecting NTAs,
I have to admit it feels a bit like the IETF rejecting NATs and/or DNS
redirection. I would be surprised if folks who implement NTAs will stop
using them if they are not accepted by
On Apr 13, 2012, at 2:39 PM, Patrik Fältström wrote:
http://kommunermeddnssec.se/maps.php
This is one of the coolest thing i have clicked in long time.. thanks for
sharing
mehmet
___
DNSOP mailing list
DNSOP@ietf.org
On Apr 13, 2012, at 3:30 PM, Jaap Akkerhuis wrote:
More pragmatically, while I understand the theory behind rejecting NTAs,
I have to admit it feels a bit like the IETF rejecting NATs and/or DNS
redirection. I would be surprised if folks who implement NTAs will stop
using them if they are not
16 matches
Mail list logo