Re: Global PKI on DNS?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 





John Stracke wrote:
> 
> >> Because it's not their software? If I wanted to do PKI through DNS, and
> my
> >> ISP's server did not support TCP, I might be stuck.  Personally, I
> don't
> >> depend on my ISP for DNS, but many users do.
> >
> >So users wanting this new service will be pretty motivated to switch DNS
> >servers when the time comes, what's the big deal in that?
> 
> The big deal is that some of the more restrictive ISPs may not permit
> customers to bypass their DNS servers.  Same as with HTTP interception
> proxies.

And ther are multiple possible answers to that sort of behaviour, none
of which require technological solutions, since it's not a technological
problem. Users can be told "this function is not available from this
ISP, change ISPs" and we let the free market do its thing. Operators of
such a new service can run DNS servers on different ports for this
functionality. There are probably lots of things you could do, but the
fact that a particular ISP is behaving in an antisocial manner shouldn't
be an issue for this list, should it?

Last week I was told by a relative down in Australiaa that his ISP still
scans for multiple hosts hiding behind NAT boxes. OTOH, one of my ISPs
(Earthlink) regularly tries to *sell* me NAT boxes. Neither behavior
would seem relevant to the NAT versus anti-NAT debate on this list but I
happen to rather like the fact that my ISP recognizes that I want run
this technology and doesn't try to treat me like a criminal for doing
so.

Now, it's a bit more tricky when the ISP is doing proxy interception,
but frankly maybe we shouldn't be overloading the current DNS service
with this. I didn't see anything so far in this thread that would
discourage me from using DNS *technology* in this application, but maybe
you would definitely want to set up your own root for this service. It
would get you out from under the many operational restrictions folks put
on DNS for "stability" reasons anyways, and by using a different port
you'd find the proxy/interception issues go away, too.

Sounds like a win for everybody...

				- peterd




-- 
-----------------------------------------------------------------------
   Peter Deutsch                   peterd@earthlink.net


   "I had to do an assignment on wild animals, and I decided to
    do my report on alligators. To complete my research, I took a
    trip to the zoo. I wanted to make a day of it, so I took along
    my pet dog. I figured we could throw a little frisbee,
    enjoy the sun, but boy was that trip a disaster. I had to
    tell my teacher that my homework ate my dog..."

----------------------------------------------------------------------


[Index of Archives]     [IETF Annoucements]     [IETF]     [IP Storage]     [Yosemite News]     [Linux SCTP]     [Linux Newbies]     [Fedora Users]