DANE, was A Deep Dive on the Recent Widespread DNS Hijacking

Måns Nilsson mansaxel at besserwisser.org
Wed Feb 27 16:13:28 UTC 2019

Subject: RE: DANE, was A Deep Dive on the Recent Widespread DNS Hijacking Date: Wed, Feb 27, 2019 at 10:17:22AM -0500 Quoting Eric Tykwinski (eric-list at truenet.com):
> > Nah, you know, that won't happen any time soon. Mozilla is busy doing other, more important things, like streaming all of the users' DNS queries to Cloudflare, etc. The plain old security doesn't count anymore.
> >
> > --
> > Töma
> This was sort of discussed awhile ago:
> Adam Langley:
> https://www.imperialviolet.org/2015/01/17/notdane.html

Calling TXT or DANE non-standard is a remarkable statement. Smells of the
deeply flawed reasoning that brought us the festering pile of defaitism
that is RFC 7208.[0]

As I wrote a few messages upthread, the user can not expect the network
to be trustworthy, and still, we who run the network would very much
like their business. So, what we must constantly strive for is maximum
transparency, carrying as much of the Internet experienc, good or bad,
to the end user. Or, more terse: "Middleboxes are bad for you." 

Måns Nilsson     primary/secondary/besserwisser/machina
MN-1334-RIPE           SA0XLR            +46 705 989668
I demand IMPUNITY!

[0] This document tries to deprecate RRTYPE 99 for SPF. By stating that
only TXT records can be trusted. Apparently, it is possible to decide
on the fly which RRtypes are possible to query for, depending on the
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: not available
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20190227/cadfc02d/attachment.sig>

More information about the NANOG mailing list