Re: [dssa] a thread for Dakar-meeting feedback
- To: Patrik Fältström <paf@xxxxxxxxx>
- Subject: Re: [dssa] a thread for Dakar-meeting feedback
- From: bmanning@xxxxxxxxxxxxxxxxxxxx
- Date: Mon, 24 Oct 2011 17:03:40 +0000
On Mon, Oct 24, 2011 at 04:29:35PM +0000, Patrik Fdltstrvm wrote:
> On 24 okt 2011, at 15:20, Mike O'Connor wrote:
> > Bill Manning and James Galvin had a conversation about the mutual
> > compatibility of DNSSEC and DNS RPZ (here's a Paul Vixie blog post about
> > RPZ - https://www.isc.org/community/blog/201007/taking-back-dns-0). Bill
> > started with a comment that the two may be an either/or choice, that they
> > may not be compatible with each other. James questioned that. Bill
> > responded with reference to a very recent interaction with Paul V. in which
> > Paul said he didn't know how to make the two approaches coexist.
> I do not see any problems with using both at the same time.
> What we have to remember is "just" that the algorithm one use when looking up
> (for example) "an address given a hostname" is more and more complicated.
> For example, I think one must do validation and repudiation calculations in
> the same entity as part of the same algorithm, This calculation is to be made
> in some process that the application or whatever that want the information
> But that it is impossible to have both at the same time? Absolutely not!
> Bill and I have talked, and we will continue on Wednesday.
we will. :) the concern is mostly focued on folks running RPZ systems
disjoint fromt he endsystems or where validation occurs. when they are
at the leaf - I agree w/ Patrick. Unfortunately few systems do
validation at the leaf
and fewer do RPZ. Although the recent Japanese data suggest that the
end systems running full caching nameserver code & validation is
in their sample set. So it might be possible there is a clear path,
but its not
obvious how ot get there. Regardless, this suggests widescale
deployment of RPZ
will create "speed bumps" on the path to DNSSEC adoption.