NXDomain remapping, DNSSEC, Layer 9, and you.

Jay Ashworth jra at baylink.com
Tue May 29 01:52:25 UTC 2012


----- Original Message -----
> From: "Mark Andrews" <marka at isc.org>

[ vix: ]
> > > meanwhile isc continues to push for ubiquitous dnssec, through to
> > > the stub,
> > > to take this issue off the table for all people and all time.
> > > (that's "the
> > > real fix" for nxdomain remapping.)
> >
> > You really believe that the outcome of that will be "we can't make
> > some
> > extra revenue off NXDOMAIN remapping because of DNSSEC? Well, the
> > hell
> > with DNSSEC, then"?
> 
> People will route around ISP that do stupid things. They do so
> today. When your browers supports DANE there will be more incentive
> to ensure that DNSSEC does not break and more incentive to route
> around ISP's that do break DNSSEC.

My personal reaction to that, Mark, is to say that you *badly* overestimate
the average Internet end-user (who make up, roughly, 80% of the endpoints,
in my jackleg estimation).

> Even a ISP that is redirecting on NXDOMAIN wants to be sure that
> it is a real NXDOMAIN not one that is spoofed do the path to the
> ISP's resolver will be DNSSEC clean and they will be validating.

I'm not sure I understood that...

> Until stub resolvers set DO=1 pretty much ubiquitously this won't
> be a problem for ISP's that want to do nxdomain redirection. There
> still plenty of crappy DNS proxies in CPE routers to be replaced
> before you can just set DO=1 as a default without worrying about
> breaking DNS lookups. Even setting EDNS as a default is a issue.

...but that's probably because I don't understand DNSSEC well enough.

> That said we are starting down the long path to making it EDNS a
> default. DiG in BIND 9 defaults to using EDNS and "dig +trace"
> turns set DO=1 as well. You don't get things fixed if the breakage
> is not visible.

We may be talking about different breakage here...

Cheers,
-- jra
-- 
Jay R. Ashworth                  Baylink                       jra at baylink.com
Designer                     The Things I Think                       RFC 2100
Ashworth & Associates     http://baylink.pitas.com         2000 Land Rover DII
St Petersburg FL USA      http://photo.imageinc.us             +1 727 647 1274




More information about the NANOG mailing list