The whole alternate-root ${STATE}horse

Jay R. Ashworth jra at baylink.com
Sat Jul 9 17:34:25 UTC 2005


On Sat, Jul 09, 2005 at 11:46:11AM -0400, Todd Vierling wrote:
> On Wed, 6 Jul 2005 Michael.Dillon at btradianz.com wrote:
> > > 1. Security ("man-in-the-middle").
> >
> > VPNs, SSH tunnels, etc. There are ways to solve
> > this problem.
> 
> You would use a VPN or SSH tunnel to do what?  That's orthogonal to DNS
> security issues, and illustrates that you haven't read DNSSEC and/or 2826.
> 
> > > 2. Common interoperability.
> >
> > We do not currently have common interoperability for a
> > whole range of protocols.
> 
> So what?  DNS is one of the protocols where interoperability is not just
> desirable, it's MANDATORY.
> 
> Businesses and individuals expect that when they publish an e-mail or Web
> site hostname, that it be theirs and only theirs no matter where on the
> Internet it is accessed.  FQDNs are considered fixed points of entry, and
> alternate roots put that name resolution at risk.  (But if you had actually
> read RFC2826, you would already understand this.)

I'm going to dive in one more time here.

It's not the *root* operators that are the problem -- it's the *TLD*
zone operators.

> Introducing fragmented TLDs or the opportunity to supplant the common TLDs
> places the DNS infrastructure at risk.  This is not just FUD -- DNS
> hijacking in alternate roots has already happened.  (But if you had actually
> read RFC2826, you would already understand this.)

"infrastructure at risk".  Justify this *far-reaching* statement,
please.  Show your work.

> > and I appreciate the IAB's comments, but it was written at a time when we
> > didn't have as much experience with rootless networks as we do now.
> 
> The DNS is not a rootless network, so this is a pointless comment.

That response appears to assume facts not in evidence in his comment.

> On the flip side, there was quite a bit of experience with alternate DNS
> roots at the time RFC2826 was created -- AlterNIC, which was run and
> advocated by people just as blinded by ignorance as you.
> 
> Oh wait, your name wouldn't *actually* be Jim Fleming, would it?

<chuckle>

Cheers,
-- jra
-- 
Jay R. Ashworth                                                jra at baylink.com
Designer                          Baylink                             RFC 2100
Ashworth & Associates        The Things I Think                        '87 e24
St Petersburg FL USA      http://baylink.pitas.com             +1 727 647 1274

      If you can read this... thank a system administrator.  Or two.  --me



More information about the NANOG mailing list