On Fri, May 29, 2009 at 11:23:26PM -0400, Andrew Sullivan wrote:
> discussed, not always separately, in this thread,
I should have said "these threads", of course -- I was implicitly
tying this discussion to the recent discussion of particular sites for
meetings. But the general point is still
On Fri, May 29, 2009 at 02:34:03PM -0700, Fred Baker wrote:
> our Asian colleagues, that means flying to a major US or Canadian airport
> like EWR, ORD, or YYQ, and taking another flight to YQB.
[other air routings elided]
Also, note, the passenger rail service to Québec from either Montréal
o
On May 29, 2009, at 7:33 AM, Francis Dupont wrote:
I don't understand your argument: it seems to apply to UDP over SCTP
but here we have SCTP over UDP. BTW the easiest way to convert DNS
over UDP into DNS over SCTP is to use an ALG (application layer
gateway) which in the DNS is known as
Dean Anderson wrote:
> The dispute on 'certificate' is over the definition of what
> 'certificate' means.
As I used the word 'certificate' with a reference, there is no
point to argue against me with terminology different from the
refereed paper.
Anyway, the definition of 'certificate' does not
I don't think we have a specific set of requirements from the
community. Dave Crocker and some friends started putting some notes
together more than a decade ago, and last I spoke with him about it he
had dropped it because he had been unable to form a consensus. Maybe
that needs to be rene
In message <4a20539e.3070...@necom830.hpcl.titech.ac.jp>, Masataka Ohta writes:
> Paul Wouters wrote:
>
> > DNSSEC involves no certificates and no certificate authorities. You know
> > this.
>
> As is documented in the paper of David Clark;
>
>http://portal.acm.org/citation.cfm?doid=383034.
John,
On Thu, May 28, 2009 at 03:39:17PM -0400, John C Klensin wrote:
>
> When you have time, I (and I believe others) would like to
> understand better how you evaluate "reasonable costs for the
> IETF and attendees". I think it is general knowledge that it
> is possible to trade IETF costs o
Paul Wouters wrote:
> DNSSEC involves no certificates and no certificate authorities. You know
> this.
As is documented in the paper of David Clark;
http://portal.acm.org/citation.cfm?doid=383034.383037
These certificates are principal components of essentially all
public key schemes, e
On Fri, 29 May 2009, Masataka Ohta wrote:
Though there seems to be some confusion that DNSSEC security were
end to end
It is.
, below is an excerpt from an authentic document by David
Clark on how PKI, including DNSSEC, involves certificate authorities
DNSSEC involves no certificates and n
On Fri, 29 May 2009, Alessandro Vesely wrote:
It's what the patch has reinforced. SCTP is more secure than the patched
bind, yet easier than DNSSEC.
where easier means "update all the root and TLD servers and load balancers
and what not to support DNS over SCTP. While DNSSEC is supported *righ
At 14:42 26-05-2009, Alexey Melnikov wrote:
There have been two Last Call notices sent to the IETF for:
'Internet Mail Architecture' as a
Proposed Standard
The IESG has received a concern about the intended publication
status of this document and wishes to confirm the community's prefere
David Conrad wrote:
Given that it is pretty easy to predict a subset of the queries a
given server will issue in a give time frame, using SCTP can improve
reliability better than adding another 32bit random number.
1) It isn't easy
What did your mail server look up after receiving this messa
Dean Anderson wrote:
TCP is used by many, if not all, resolvers to get large responses.
And I'm working on changes to DJBDNS dnscache that enable a
configuration option to use TCP by default and fall back to UDP if TCP
is not available.
As that would increase security, I imagine that many op
Alessandro,
On May 29, 2009, at 12:09 AM, Alessandro Vesely wrote:
One has to trust each cache!
With DNSSEC, you don't have to trust the cache since the only thing
the miscreants who compromise the cache can do is the functional
equivalent of removing the entry from the cache.
Given that
Bob,
I'd like to express my thanks for this information. I believe
that, if the community had more information of this sort,
updated as needed, we would have fewer firestorms when meeting
sites are announced.
When you have time, I (and I believe others) would like to
understand better how you ev
In your previous mail you wrote:
Shouldn't be difficult. I'm not much into either technology, but since
SCTP can be tunneled through UDP, it should be possible to retrofit
SCTP adoption onto an existing DNS implementation. On an OS that
provides SCTP natively, a module inserted bet
In your previous mail you wrote:
I thought TCP was the default when the UDP message size is not enough.
=> with EDNS0 this is a bit more complex but IMHO this is the idea.
Note the recommended "connection management" (RFC 1025 4.2.2) suggests
multiple queries/responses too.
That's, AFAIK
On Fri, 29 May 2009, Alessandro Vesely wrote:
transport security is pretty meaningless in the DNS world which operates
using a distributed caching system.
One has to trust each cache!
Your solution to protect the DNS is "just trust everyone"?
Given that it is pretty easy to predict a subset
--On Friday, May 29, 2009 06:18 -0600 Doug Ewell
wrote:
> Iljitsch van Beijnum wrote:
>
>>> plans about changes in RFC and I-D formats
>>
>> Huh?
>
> From ASCII to UTF-8, or from plain-text to PDF.
Or the more recent, long and with many messages, discussion
about the order of the abstract
Iljitsch van Beijnum wrote:
plans about changes in RFC and I-D formats
Huh?
From ASCII to UTF-8, or from plain-text to PDF.
--
Doug Ewell * Thornton, Colorado, USA * RFC 4645 * UTN #14
http://www.ewellic.org
http://www1.ietf.org/html.charters/ltru-charter.html
http://www.alvestrand.n
On May 29, 2009, at 12:23 PM, Alessandro Vesely wrote:
David Conrad wrote:
However, pragmatically speaking, I suspect it is going to be much,
much easier to get DNSSEC deployed than it would be to get every
router/firewall/NAT manufacturer and network operator to support/
deploy SCTP, not t
David Conrad wrote:
However, pragmatically speaking, I suspect it is going to be much, much
easier to get DNSSEC deployed than it would be to get every
router/firewall/NAT manufacturer and network operator to support/deploy
SCTP, not to mention getting every DNSSEC server to support DNS over SC
Paul Wouters wrote:
On Thu, 28 May 2009, Alessandro Vesely wrote:
The limitations in TCP or SCTP security stem from
transport security is pretty meaningless in the DNS world which operates
using a distributed caching system.
One has to trust each cache! Given that it is pretty easy to predi
On 28 mei 2009, at 23:39, John C Klensin wrote:
plans about changes in RFC and I-D formats
Huh?
___
Ietf mailing list
Ietf@ietf.org
https://www.ietf.org/mailman/listinfo/ietf
24 matches
Mail list logo