<<<
Chronological Index
>>> <<<
Thread Index
>>>
Re: [dssa] a thread for Dakar-meeting feedback
- To: Patrik Fältström <paf@xxxxxxxxx>
- Subject: Re: [dssa] a thread for Dakar-meeting feedback
- From: bmanning@xxxxxxxxxxxxxxxxxxxx
- Date: Mon, 24 Oct 2011 17:03:40 +0000
On Mon, Oct 24, 2011 at 04:29:35PM +0000, Patrik Fdltstrvm wrote:
>
> On 24 okt 2011, at 15:20, Mike O'Connor wrote:
>
> > Bill Manning and James Galvin had a conversation about the mutual
> > compatibility of DNSSEC and DNS RPZ (here's a Paul Vixie blog post about
> > RPZ - https://www.isc.org/community/blog/201007/taking-back-dns-0). Bill
> > started with a comment that the two may be an either/or choice, that they
> > may not be compatible with each other. James questioned that. Bill
> > responded with reference to a very recent interaction with Paul V. in which
> > Paul said he didn't know how to make the two approaches coexist.
>
> I do not see any problems with using both at the same time.
>
> What we have to remember is "just" that the algorithm one use when looking up
> (for example) "an address given a hostname" is more and more complicated.
>
> For example, I think one must do validation and repudiation calculations in
> the same entity as part of the same algorithm, This calculation is to be made
> in some process that the application or whatever that want the information
> trusts.
>
> But that it is impossible to have both at the same time? Absolutely not!
>
> Bill and I have talked, and we will continue on Wednesday.
>
> Patrik
>
we will. :) the concern is mostly focued on folks running RPZ systems
that are
disjoint fromt he endsystems or where validation occurs. when they are
co-existent
at the leaf - I agree w/ Patrick. Unfortunately few systems do
validation at the leaf
and fewer do RPZ. Although the recent Japanese data suggest that the
number of
end systems running full caching nameserver code & validation is
actually significant
in their sample set. So it might be possible there is a clear path,
but its not
obvious how ot get there. Regardless, this suggests widescale
deployment of RPZ
will create "speed bumps" on the path to DNSSEC adoption.
/bill
<<<
Chronological Index
>>> <<<
Thread Index
>>>
|