nanog mailing list archives
Re: NXDomain remapping, DNSSEC, Layer 9, and you.
From: Jay Ashworth <jra () baylink com>
Date: Mon, 28 May 2012 21:52:25 -0400 (EDT)
----- Original Message -----
From: "Mark Andrews" <marka () isc org>
[ vix: ]
meanwhile isc continues to push for ubiquitous dnssec, through to the stub, to take this issue off the table for all people and all time. (that's "the real fix" for nxdomain remapping.)You really believe that the outcome of that will be "we can't make some extra revenue off NXDOMAIN remapping because of DNSSEC? Well, the hell with DNSSEC, then"?People will route around ISP that do stupid things. They do so today. When your browers supports DANE there will be more incentive to ensure that DNSSEC does not break and more incentive to route around ISP's that do break DNSSEC.
My personal reaction to that, Mark, is to say that you *badly* overestimate the average Internet end-user (who make up, roughly, 80% of the endpoints, in my jackleg estimation).
Even a ISP that is redirecting on NXDOMAIN wants to be sure that it is a real NXDOMAIN not one that is spoofed do the path to the ISP's resolver will be DNSSEC clean and they will be validating.
I'm not sure I understood that...
Until stub resolvers set DO=1 pretty much ubiquitously this won't be a problem for ISP's that want to do nxdomain redirection. There still plenty of crappy DNS proxies in CPE routers to be replaced before you can just set DO=1 as a default without worrying about breaking DNS lookups. Even setting EDNS as a default is a issue.
...but that's probably because I don't understand DNSSEC well enough.
That said we are starting down the long path to making it EDNS a default. DiG in BIND 9 defaults to using EDNS and "dig +trace" turns set DO=1 as well. You don't get things fixed if the breakage is not visible.
We may be talking about different breakage here... Cheers, -- jra -- Jay R. Ashworth Baylink jra () baylink com Designer The Things I Think RFC 2100 Ashworth & Associates http://baylink.pitas.com 2000 Land Rover DII St Petersburg FL USA http://photo.imageinc.us +1 727 647 1274
Current thread:
- isc - a good business paul vixie (May 28)
- Re: isc - a good business Randy Bush (May 28)
- Re: isc - a good business paul vixie (May 28)
- Re: isc - a good business Jay Ashworth (May 28)
- Re: isc - a good business George Herbert (May 28)
- Re: isc - a good business Paul Vixie (May 28)
- NXDomain remapping, DNSSEC, Layer 9, and you. Jay Ashworth (May 28)
- Re: NXDomain remapping, DNSSEC, Layer 9, and you. Mark Andrews (May 28)
- Re: NXDomain remapping, DNSSEC, Layer 9, and you. Jay Ashworth (May 28)
- Re: NXDomain remapping, DNSSEC, Layer 9, and you. Mark Andrews (May 28)
- Re: NXDomain remapping, DNSSEC, Layer 9, and you. bmanning (May 28)
- Re: NXDomain remapping, DNSSEC, Layer 9, and you. Mark Andrews (May 28)
- Message not available
- Re: NXDomain remapping, DNSSEC, Layer 9, and you. George Herbert (May 28)
- Re: isc - a good business paul vixie (May 28)
- Re: isc - a good business Randy Bush (May 28)
- Re: NXDomain remapping, DNSSEC, Layer 9, and you. Randy Bush (May 28)
- Re: NXDomain remapping, DNSSEC, Layer 9, and you. Tony Finch (May 29)
- Re: NXDomain remapping, DNSSEC, Layer 9, and you. Randy Bush (May 29)
- Re: NXDomain remapping, DNSSEC, Layer 9, and you. Jimmy Hess (May 28)
- Re: NXDomain remapping, DNSSEC, Layer 9, and you. Mark Andrews (May 28)
- Re: isc - a good business Jimmy Hess (May 28)