In message <56E768E6.5090905@xxxxxxxxxxxxx>, Doug Barton writes: > On 03/14/2016 04:18 PM, Paul Wouters wrote: > > Yes, you are about 1.5 years late. And your arguments are (un)fortunately > > not new arguments. Since the archive on this draft is rather huge, I can > > understand that you missed part of this discussion. So for completeness > > sake, I will answer your questions again. > > Thank you for your patience in explaining your reasoning, and again, I'm > sorry for coming late to the party. And thanks as well for confirming > that my memory is correct ... at one time I did hear that this topic was > going in the direction of signatures rather than certs. Unfortunate that > I didn't follow it closer. > > Regarding what you said and what your goals are, I think that we are > pretty far apart. I will send a detailed response to your message on the > DANE list soon. In all likelihood I will also create a new I-D with my > ideas specified in more detail. Perhaps what is needed is more than one > experiment. :) > > In regards to the current last call, while your explanations do help to > alleviate a few of my concerns, in large part I am still not > enthusiastic about this version of the draft proceeding. > > In particular I think the concern about these RRs being used for DDOS > amplification remains. There is no mechanism in place currently in any > name server software that I am aware of to limit responses to queries in > the manner you describe (only send answers if the query comes over TCP > or with DNS-Cookies). Further, I don't see that happening any time soon. You just limit response sizes in general. BIND 9.11 has "nocookie-udp-size <integer>;" which sets a EDNS response size limit for queries w/o a valid server cookie. If the response doesn't fit you do the normal fallback to TCP. With EDNS both sides can set limits on what they are willing to send/receive. Amplification controls should be independent of qname and qtype. > Close behind that concern, the larger IETF community (or at least some > very vocal segments of it) have serious concerns about this type of > opportunistic encryption happening at all, or in my case, without user > input. They (and to some extent I) remain unconvinced that your > assertion that this type of opportunistic encryption is always better > than the current state. Personally, I need to think more about that, but > at least in the early stages of an experiment in tying PGP keys to DNS > RRs, I'm definitely opposed. > > FWIW, > > Doug > -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka@xxxxxxx