Re: [dssa] a thread for Dakar-meeting feedback
- To: "Mike O'Connor" <mike@xxxxxxxxxx>
- Subject: Re: [dssa] a thread for Dakar-meeting feedback
- From: Patrik Fältström <paf@xxxxxxxxx>
- Date: Mon, 24 Oct 2011 16:29:35 +0000
On 24 okt 2011, at 15:20, Mike O'Connor wrote:
> Bill Manning and James Galvin had a conversation about the mutual
> compatibility of DNSSEC and DNS RPZ (here's a Paul Vixie blog post about RPZ
> - https://www.isc.org/community/blog/201007/taking-back-dns-0). Bill started
> with a comment that the two may be an either/or choice, that they may not be
> compatible with each other. James questioned that. Bill responded with
> reference to a very recent interaction with Paul V. in which Paul said he
> didn't know how to make the two approaches coexist.
I do not see any problems with using both at the same time.
What we have to remember is "just" that the algorithm one use when looking up
(for example) "an address given a hostname" is more and more complicated.
For example, I think one must do validation and repudiation calculations in the
same entity as part of the same algorithm, This calculation is to be made in
some process that the application or whatever that want the information trusts.
But that it is impossible to have both at the same time? Absolutely not!
Bill and I have talked, and we will continue on Wednesday.