NXDomain remapping, DNSSEC, Layer 9, and you.
Jay Ashworth
jra at baylink.com
Tue May 29 01:52:25 UTC 2012
----- Original Message -----
> From: "Mark Andrews" <marka at isc.org>
[ vix: ]
> > > meanwhile isc continues to push for ubiquitous dnssec, through to
> > > the stub,
> > > to take this issue off the table for all people and all time.
> > > (that's "the
> > > real fix" for nxdomain remapping.)
> >
> > You really believe that the outcome of that will be "we can't make
> > some
> > extra revenue off NXDOMAIN remapping because of DNSSEC? Well, the
> > hell
> > with DNSSEC, then"?
>
> People will route around ISP that do stupid things. They do so
> today. When your browers supports DANE there will be more incentive
> to ensure that DNSSEC does not break and more incentive to route
> around ISP's that do break DNSSEC.
My personal reaction to that, Mark, is to say that you *badly* overestimate
the average Internet end-user (who make up, roughly, 80% of the endpoints,
in my jackleg estimation).
> Even a ISP that is redirecting on NXDOMAIN wants to be sure that
> it is a real NXDOMAIN not one that is spoofed do the path to the
> ISP's resolver will be DNSSEC clean and they will be validating.
I'm not sure I understood that...
> Until stub resolvers set DO=1 pretty much ubiquitously this won't
> be a problem for ISP's that want to do nxdomain redirection. There
> still plenty of crappy DNS proxies in CPE routers to be replaced
> before you can just set DO=1 as a default without worrying about
> breaking DNS lookups. Even setting EDNS as a default is a issue.
...but that's probably because I don't understand DNSSEC well enough.
> That said we are starting down the long path to making it EDNS a
> default. DiG in BIND 9 defaults to using EDNS and "dig +trace"
> turns set DO=1 as well. You don't get things fixed if the breakage
> is not visible.
We may be talking about different breakage here...
Cheers,
-- jra
--
Jay R. Ashworth Baylink jra at baylink.com
Designer The Things I Think RFC 2100
Ashworth & Associates http://baylink.pitas.com 2000 Land Rover DII
St Petersburg FL USA http://photo.imageinc.us +1 727 647 1274
More information about the NANOG
mailing list