The whole alternate-root ${STATE}horse
Jay R. Ashworth
jra at baylink.com
Sat Jul 9 17:34:25 UTC 2005
On Sat, Jul 09, 2005 at 11:46:11AM -0400, Todd Vierling wrote:
> On Wed, 6 Jul 2005 Michael.Dillon at btradianz.com wrote:
> > > 1. Security ("man-in-the-middle").
> >
> > VPNs, SSH tunnels, etc. There are ways to solve
> > this problem.
>
> You would use a VPN or SSH tunnel to do what? That's orthogonal to DNS
> security issues, and illustrates that you haven't read DNSSEC and/or 2826.
>
> > > 2. Common interoperability.
> >
> > We do not currently have common interoperability for a
> > whole range of protocols.
>
> So what? DNS is one of the protocols where interoperability is not just
> desirable, it's MANDATORY.
>
> Businesses and individuals expect that when they publish an e-mail or Web
> site hostname, that it be theirs and only theirs no matter where on the
> Internet it is accessed. FQDNs are considered fixed points of entry, and
> alternate roots put that name resolution at risk. (But if you had actually
> read RFC2826, you would already understand this.)
I'm going to dive in one more time here.
It's not the *root* operators that are the problem -- it's the *TLD*
zone operators.
> Introducing fragmented TLDs or the opportunity to supplant the common TLDs
> places the DNS infrastructure at risk. This is not just FUD -- DNS
> hijacking in alternate roots has already happened. (But if you had actually
> read RFC2826, you would already understand this.)
"infrastructure at risk". Justify this *far-reaching* statement,
please. Show your work.
> > and I appreciate the IAB's comments, but it was written at a time when we
> > didn't have as much experience with rootless networks as we do now.
>
> The DNS is not a rootless network, so this is a pointless comment.
That response appears to assume facts not in evidence in his comment.
> On the flip side, there was quite a bit of experience with alternate DNS
> roots at the time RFC2826 was created -- AlterNIC, which was run and
> advocated by people just as blinded by ignorance as you.
>
> Oh wait, your name wouldn't *actually* be Jim Fleming, would it?
<chuckle>
Cheers,
-- jra
--
Jay R. Ashworth jra at baylink.com
Designer Baylink RFC 2100
Ashworth & Associates The Things I Think '87 e24
St Petersburg FL USA http://baylink.pitas.com +1 727 647 1274
If you can read this... thank a system administrator. Or two. --me
More information about the NANOG
mailing list