[prev in list] [next in list] [prev in thread] [next in thread]
List: dns-operations
Subject: Re: [dns-operations] [Ext] Possibly-incorrect NSEC responses from many RSOs
From: Paul Vixie <paul () redbarn ! org>
Date: 2021-03-03 6:04:45
Message-ID: 20210303060445.cky3on2ai4uo7daa () family ! redbarn ! org
[Download RAW message or body]
On Tue, Mar 02, 2021 at 08:34:21PM -0500, Viktor Dukhovni wrote:
> On Wed, Mar 03, 2021 at 12:40:55AM +0000, Paul Vixie wrote:
> > I think you had me right the first time. I'm imagining a world with
> > dnssec aware apps and stubs (and therefore, DANE validators in TLS
> > clients), where some paths are closed for stupid reasons..., but the
> > rest are either dnssec-aware or dnssec-nondamaging. We should not make
> > the minimum viable product unbuildable unless we lack better choices.
>
> A laudable goal, but exposing RRSIG as a bare RRset one can query does
> not look like a viable path forward. So I don't see this happening.
you described several cases in which rrsigs wouldn't be stable enough.
in my own role as signer, the rrsigs are refreshed by cron on sundays,
and so i think we're both looking at anecdotes here, worst or best case
scenarios, and what you don't see happening isn't totally compelling.
> More likely equipment that gets in the way will over time get replaced,
> or users will tunnel traffic to a less broken resolver.
there's a lot of ways this can go. i usually share the pessimism you're
expressing. but that doesn't mean i won't care if we make it all worse.
--
Paul Vixie
_______________________________________________
dns-operations mailing list
dns-operations@lists.dns-oarc.net
https://lists.dns-oarc.net/mailman/listinfo/dns-operations
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic