<<<
Chronological Index
>>> <<<
Thread Index
>>>
Re: [dssa] a thread for Dakar-meeting feedback
- To: bmanning@xxxxxxxxxxxxxxxxxxxx
- Subject: Re: [dssa] a thread for Dakar-meeting feedback
- From: Patrik Fältström <paf@xxxxxxxxx>
- Date: Mon, 24 Oct 2011 17:03:53 +0000
...and my point is that this is not black or white, it is in deed "gray" and we
are discussing what number of shades there are...
Patrik
On 24 okt 2011, at 16:56, bmanning@xxxxxxxxxxxxxxxxxxxx wrote:
>
>
> this is the location:
>
> http://www.gcsec.org/event/dns-easy-2011-workshop/keynote-talks
> slides 24,25,26...
>
> the "recovery" is to use another nameserver or use a non-obstructed path.
> secltion of an alternate path may not be possible (the use of DNS over HTTP
> is not yet
> an IETF WG aactivity) and few people outside the odd sysadmin/dns geek can
> select a new
> nameserver.
>
> RPZ is codified mitm attacks.
>
> Pauls public statemetns don't sound like rumor - sounds like an ISC stated
> business model.
>
>
> /bill
>
> On Mon, Oct 24, 2011 at 03:58:51PM +0000, James M. Galvin wrote:
>>
>> Reputation systems and DNSSEC co-exist just fine. I take issue with
>> Paul's position as explained by Bill.
>>
>> As I understand it, the issue is that DNSSEC will detect that somebody
>> is mucking with your DNS responses but the user may not know why
>> (perhaps it's intended because of the service they're using, i.e., the
>> ISP is filtering for you because they know what's best for you).
>> Worse, the user may not be able to "get around" the resolver that is
>> inappropriately (or unexpectedly) mucking with DNS responses.
>>
>> The overstated strong statement is that there is no recovery and
>> therefore they do not co-exist.
>>
>> That's the best that Bill could explain to me. So, unless I'm missing
>> something, there's no story here. DNSSEC is doing its job by letting
>> you know you have a problem. The fact that you may be subjected to a
>> reputation system unexpectedly is, well, a local problem.
>>
>> We should not perpetuate this rumor without additional facts.
>>
>> Jim
>>
>>
>>
>>
>>
>> On Oct 24, 2011, at 3:20 PM, Mike O'Connor wrote:
>>
>>>
>>> hi all,
>>>
>>> here's a little thread where you can all post comments/feedback you
>>> receive during the course of the Dakar meeting. i'll start it by
>>> passing along a couple of notes i took during the DSSA-update
>>> session at the GNSO yesterday.
>>>
>>> Jeff Neuman (NeuStar, Registries, Vice-Chair of the GNSO Council)
>>> commented on our scope -- expressing concern that our scope is
>>> perhaps too narrow and may be misperceived by people outside the
>>> process as too focused on the root and TLD levels of the DNS. he
>>> made the point that "DNS" means a much broader thing to many and
>>> they may be disappointed when they see our scope statement. he
>>> encouraged us to, at a minimum, make our scope statement really
>>> clear in our final report
>>>
>>> Bill Manning and James Galvin had a conversation about the mutual
>>> compatibility of DNSSEC and DNS RPZ (here's a Paul Vixie blog post
>>> about RPZ - https://www.isc.org/community/blog/201007/taking-back-dns-0)
>>> . Bill started with a comment that the two may be an either/or
>>> choice, that they may not be compatible with each other. James
>>> questioned that. Bill responded with reference to a very recent
>>> interaction with Paul V. in which Paul said he didn't know how to
>>> make the two approaches coexist.
>>>
>>> any other comments/ideas/feedback that people are hearing? are you
>>> finding copies of our "one pager" helpful?
>>>
>>> mikey
>>>
>>>
>>> - - - - - - - - -
>>> phone 651-647-6109
>>> fax 866-280-2356
>>> web http://www.haven2.com
>>> handle OConnorStP (ID for public places like Twitter, Facebook,
>>> Google, etc.)
>>>
>>>
<<<
Chronological Index
>>> <<<
Thread Index
>>>
|