In message <20141204060351.GH19344@xxxxxxxxxxxxxxx>, Andrew Sullivan writes: > On Thu, Dec 04, 2014 at 01:11:46PM +1100, Mark Andrews wrote: > > > As for RFC 5011, it is a crock. We should be using something like > > CDS with start and end dates plus retry timers. > > [â?¦] > > > That > > said there are some really broken EDNS implementations out there. > > [â?¦] > > > We also have a the following draft-andrews-dns-no-response-issue > > which covers this as well as other issues. > > To be clear, then, the reduction of available port numbers that is the > result of A+P is solved by some proposals in a couple Internet-Drafts, > neither of which yet has critical mass, and that depend on a feature > of the DNS that is still broken in lots of places more than 10 years > after its specification? It's only broken because no one has been checking servers for compliance. All the bugs are about 5 minutes work to fix if they actually get reported to the nameserver vendors and operators of the servers. As for implementing cookies / SIT that is about a days work. It's actually a lot less work than port randomisation is. > Also, you think that the only actual DNSSEC TA rollover mechanism we > standardized is a crock? Just because something is standardised doesn't mean that it is not a crock. RFC 5011 doesn't provide a mechanism to tell others if the operators are using it for key management. It overloads SEP bit. There are no timing parameters, one size doesn't fit all. It increases DNSKEY RRset size unnecessarially. > I'm just trying to calibrate what "perfectly fine" means before I send > my comments on the A+P standards-track request. > > Thanks, > > A > > -- > Andrew Sullivan > ajs@xxxxxxxxxxxxxxxxxx -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka@xxxxxxx