Ben Laurie | 1 Mar 14:32 2009

Re: [dnssec-deployment] [dnsext] Sidestepping the root

Paul Vixie wrote:
> On 21.02.2009, at 18:11, Ben Laurie wrote:
>> So here's an idea: why don't the TLDs who have deployed or are willing to
>> deploy DNSSEC get together and each run a DLV zone for all the others?
> 
> candidly, it's because of the trust problem.  ISC operates a DLV registry
> and it has a few TLDs in it (more now that we've imported IANA's ITAR) but
> the TLD operators are terribly concerned about kingmaking and not even ISC
> is trustworthy enough to make that concern go away.  truthfully: *noone* is.

Who would be king in the system I describe?

> i understood this better after the man from .RU shook his fist at the room
> down in atlanta, apparently the idea of russia depending on the united
> states (which is how the world sees ICANN) to authenticate their own names
> to their own users flies in the face of national sovereignty.

In the system I describe, .ru would authenticate their own names to
their own users.

--

-- 
http://www.apache-ssl.org/ben.html           http://www.links.org/

"There is no limit to what a man can do or how far he can go if he
doesn't mind who gets the credit." - Robert Woodruff

--
to unsubscribe send a message to namedroppers-request <at> ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/namedroppers/>
(Continue reading)

Paul Vixie | 1 Mar 17:59 2009

Re: [dnssec-deployment] [dnsext] Sidestepping the root

> > On 21.02.2009, at 18:11, Ben Laurie wrote:
> >> So here's an idea: why don't the TLDs who have deployed or are willing
> >> to deploy DNSSEC get together and each run a DLV zone for all the
> >> others?

> Paul Vixie wrote:
> > candidly, it's because of the trust problem.  ISC operates a DLV
> > registry and it has a few TLDs in it (more now that we've imported
> > IANA's ITAR) but the TLD operators are terribly concerned about
> > kingmaking and not even ISC is trustworthy enough to make that concern
> > go away.  truthfully: *noone* is.
> 
> Who would be king in the system I describe?

the system you describe is kingless.

> > i understood this better after the man from .RU shook his fist at the
> > room down in atlanta, apparently the idea of russia depending on the
> > united states (which is how the world sees ICANN) to authenticate their
> > own names to their own users flies in the face of national sovereignty.
> 
> In the system I describe, .ru would authenticate their own names to
> their own users.

it has some interesting properties.  perhaps you can find a CCTLD who is
willing to deploy it, thus setting an example for other CCTLD's.  (the
first step would appear to be some kind of technote describing your
proposal.)

two notes.  first, roy arends also made a kingless proposal a few years
(Continue reading)

Ben Laurie | 1 Mar 18:16 2009

Re: [dnssec-deployment] [dnsext] Sidestepping the root

Paul Vixie wrote:
>>> On 21.02.2009, at 18:11, Ben Laurie wrote:
>>>> So here's an idea: why don't the TLDs who have deployed or are willing
>>>> to deploy DNSSEC get together and each run a DLV zone for all the
>>>> others?
> 
>> Paul Vixie wrote:
>>> candidly, it's because of the trust problem.  ISC operates a DLV
>>> registry and it has a few TLDs in it (more now that we've imported
>>> IANA's ITAR) but the TLD operators are terribly concerned about
>>> kingmaking and not even ISC is trustworthy enough to make that concern
>>> go away.  truthfully: *noone* is.
>> Who would be king in the system I describe?
> 
> the system you describe is kingless.
> 
>>> i understood this better after the man from .RU shook his fist at the
>>> room down in atlanta, apparently the idea of russia depending on the
>>> united states (which is how the world sees ICANN) to authenticate their
>>> own names to their own users flies in the face of national sovereignty.
>> In the system I describe, .ru would authenticate their own names to
>> their own users.
> 
> it has some interesting properties.  perhaps you can find a CCTLD who is
> willing to deploy it, thus setting an example for other CCTLD's.  (the
> first step would appear to be some kind of technote describing your
> proposal.)
> 
> two notes.  first, roy arends also made a kingless proposal a few years
> back but chose for whatever reason not to push forward with it.  you might
(Continue reading)

Paul Vixie | 1 Mar 18:30 2009

Re: [dnssec-deployment] [dnsext] Sidestepping the root

> But in any case, you are right: if TLDs are authoritative for keys, they
> might as well be authoritative for nameservers. And what would be wrong
> with that?

it's inevitable that some countries will do this.  it'll lead to chaos in
the namespace just like any other multiple-rootzone plan.  what would be
wrong?  as bruce campbell said in _army_of_darkness_: "good? bad? i'm the
one with the gun."

> In what sense is it not deployable? Working fine for me...

it's not universally deployable.  "what wizards can do" is not a good test.

--
to unsubscribe send a message to namedroppers-request <at> ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/namedroppers/>

Ben Laurie | 1 Mar 18:33 2009

Re: [dnssec-deployment] [dnsext] Sidestepping the root

Paul Vixie wrote:
>> But in any case, you are right: if TLDs are authoritative for keys, they
>> might as well be authoritative for nameservers. And what would be wrong
>> with that?
> 
> it's inevitable that some countries will do this.  it'll lead to chaos in
> the namespace just like any other multiple-rootzone plan.  what would be
> wrong?  as bruce campbell said in _army_of_darkness_: "good? bad? i'm the
> one with the gun."
> 
>> In what sense is it not deployable? Working fine for me...
> 
> it's not universally deployable.  "what wizards can do" is not a good test.

All you have to do is pick up my makefile and config and type "make" :-)

--

-- 
http://www.apache-ssl.org/ben.html           http://www.links.org/

"There is no limit to what a man can do or how far he can go if he
doesn't mind who gets the credit." - Robert Woodruff

--
to unsubscribe send a message to namedroppers-request <at> ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/namedroppers/>

Ondřej Surý | 2 Mar 15:30 2009
Picon

[dnsext] Timeslot at IETF74?

Hi,

I'm planning my trip to SF and I have noticed that dnsext doesn't
have timeslot in Agenda. Does anybody know when the dnsext
session is going to be?

Ondrej.
--

-- 
 Ondrej Sury
 technicky reditel/Chief Technical Officer
 -----------------------------------------
 CZ.NIC, z.s.p.o.  --  .cz domain registry
 Americka 23,120 00 Praha 2,Czech Republic
 mailto:ondrej.sury <at> nic.cz  http://nic.cz/
 sip:ondrej.sury <at> nic.cz tel:+420.222745110
 mob:+420.739013699     fax:+420.222745112
 -----------------------------------------

--
to unsubscribe send a message to namedroppers-request <at> ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/namedroppers/>

Re: [dnsext] Timeslot at IETF74?

At 09:30 02/03/2009, Ondřej Surý wrote:
Hi,

I'm planning my trip to SF and I have noticed that dnsext doesn't
have timeslot in Agenda. Does anybody know when the dnsext
session is going to be?


No meeting, Andrew and I announce this in December:
http://psg.com/lists/namedroppers/namedroppers.2008/msg02413.html

No request was received for agenda slots.

        Olafur



Ondrej.
--
 Ondrej Sury
 technicky reditel/Chief Technical Officer
 -----------------------------------------
 CZ.NIC, z.s.p.o.  --  .cz domain registry
 Americka 23,120 00 Praha 2,Czech Republic
  mailto:ondrej.sury <at> nic.cz http://nic.cz/
 sip:ondrej.sury <at> nic.cz tel:+420.222745110
 mob:+420.739013699     fax:+420.222745112
 -----------------------------------------

--
to unsubscribe send a message to namedroppers-request <at> ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: < http://ops.ietf.org/lists/namedroppers/>
Andrew Sullivan | 2 Mar 16:43 2009

Re: [dnsext] Timeslot at IETF74?

On Mon, Mar 02, 2009 at 03:30:49PM +0100, Ondřej Surý wrote:
> Hi,
> 
> I'm planning my trip to SF and I have noticed that dnsext doesn't
> have timeslot in Agenda. Does anybody know when the dnsext
> session is going to be?

There isn't going to be one, which is why you don't see the timeslot.
We asked many weeks ago whether anyone had possible agenda items for a
meeting; if not, we would have no meeting.  We didn't get responses
with items that needed discussion, so we didn't schedule a session.
(This is in keeping with the WG's charter that we're sleeping.)

Best,

Andrew (for the Chairs)

--

-- 
Andrew Sullivan
ajs <at> shinkuro.com
Shinkuro, Inc.

--
to unsubscribe send a message to namedroppers-request <at> ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/namedroppers/>

Internet-Drafts | 2 Mar 18:00 2009
Picon

I-D Action:draft-ietf-dnsext-dnsproxy-02.txt

A New Internet-Draft is available from the on-line Internet-Drafts directories.
This draft is a work item of the DNS Extensions Working Group of the IETF.

	Title           : DNS Proxy Implementation Guidelines
	Author(s)       : R. Bellis
	Filename        : draft-ietf-dnsext-dnsproxy-02.txt
	Pages           : 13
	Date            : 2009-03-02

This document provides guidelines for the implementation of DNS
proxies, as found in broadband gateways and other similar network
devices.

A URL for this Internet-Draft is:
http://www.ietf.org/internet-drafts/draft-ietf-dnsext-dnsproxy-02.txt

Internet-Drafts are also available by anonymous FTP at:
ftp://ftp.ietf.org/internet-drafts/

Below is the data which will enable a MIME compliant mail reader
implementation to automatically retrieve the ASCII version of the
Internet-Draft.
Attachment (draft-ietf-dnsext-dnsproxy-02.txt): message/external-body, 70 bytes
_______________________________________________
I-D-Announce mailing list
I-D-Announce <at> ietf.org
https://www.ietf.org/mailman/listinfo/i-d-announce
Internet-Draft directories: http://www.ietf.org/shadow.html
or ftp://ftp.ietf.org/ietf/1shadow-sites.txt

Re: [dnsext] I-D Action:draft-ietf-dnsext-dnsproxy-02.txt

Ray has informed the chairs that this version addresses all the issues that
have been raised so far. We are planning to start a WGLC on this version real
soon. I you have raised issues with earlier version of the document take a look
at this version.

        Olafur & Andrew.

At 12:00 02/03/2009, Internet-Drafts <at> ietf.org wrote:
A New Internet-Draft is available from the on-line Internet-Drafts directories.
This draft is a work item of the DNS Extensions Working Group of the IETF.


         Title           : DNS Proxy Implementation Guidelines
         Author(s)       : R. Bellis
         Filename        : draft-ietf-dnsext-dnsproxy-02.txt
         Pages           : 13
         Date            : 2009-03-02

This document provides guidelines for the implementation of DNS
proxies, as found in broadband gateways and other similar network
devices.

A URL for this Internet-Draft is:
http://www.ietf.org/internet-drafts/draft-ietf-dnsext-dnsproxy-02.txt

Internet-Drafts are also available by anonymous FTP at:
ftp://ftp.ietf.org/internet-drafts/

Below is the data which will enable a MIME compliant mail reader
implementation to automatically retrieve the ASCII version of the
Internet-Draft.


< ftp://ftp.ietf.org/internet-drafts/draft-ietf-dnsext-dnsproxy-02.txt >

Gmane