Re: DNSSEC architecture vs reality

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 




--On Monday, April 12, 2021 15:43 -0700 Michael Thomas
<mike@xxxxxxxx> wrote:

> The one thing that bugs me about DANE is its use of a native
> RR type. This is a well trodden argument of doing it proper
> and doing it in a deployable way. We know what happens when
> you do it the "right way" which is usually nothing at all. If
> it started to get popular, we could gin up a TXT record
> alternative though, I suppose. When we were doing DKIM at
> Cisco, our IT folks were incredibly accommodating, but
> implementing a new RR type in their infrastructure would have
> probably been a bridge too far. Heck, I wouldn't be surprised
> if Mark at Y! got told the same thing :)

And I don't want to reopen that argument, but part of it is that
the original plan for TXT RR was essentially as a comment field
that anyone could put anything into that they wanted to convey
to another human.  So, if it is used to express protocol
information, figuring out which protocol and whether the data
field is correct for that protocol is basically a matter for
heuristics, no matter how good one can make them.  If there is a
choice, that is not a really good idea.  Also, it has been years
since I was involved in large-scale DNS operations (and, by
today's standards for "large", I never have been),  but it seems
to me that, if a particular implementation or operational setup
makes it as hard to deal with a new RR type as your comment
above suggests, there is something seriously wrong with that
setup.   And I think the language in 1034/1035 is consistent
with that view.

    john




[Index of Archives]     [IETF Annoucements]     [IETF]     [IP Storage]     [Yosemite News]     [Linux SCTP]     [Linux Newbies]     [Mhonarc]     [Fedora Users]

  Powered by Linux