nanog mailing list archives

Re: .gov DNSSEC operational message - picking a fight

From: bmanning () vacation karoshi com
Date: Tue, 28 Dec 2010 22:46:51 +0000

On Tue, Dec 28, 2010 at 11:41:18AM -0800, Doug Barton wrote:


Now OTOH if someone wants to demonstrate the value in having a
publication channel for TLD DNSKEYs outside of the root zone, I'm
certainly willing to listen. Just be forewarned that you will have an
uphill battle in trying to prove your case. :)


Doug


        well, not to pick on you, or the choices made by VSGN, 
        but I -will- point out that there are many good reasons
        to support an out of band method for moving critical data.
        (lots of refs on the tradeoffs btwn OOB and IB channels are 
        to be found by your fav search engine).

        the Internet of last century relied in most cases on in-band
        communications.  and what we have seen is the creation of
        overlays or outright independent "control plane" or C&C
        networks to manage data flow with independent prioritization
        over other traffic as the Internet has evolved.  In this case
        i think this DNSiSEC model is about 15 years behind the curve.

        IMHO, key management should be able to use an OOB channel
        when the in-band is corrupted or overlaoded.  Reliance on
        strictly the IB channel presumes there will be no problems
        with that channel.  EVER.   For me, I don't want to take 
        that risk.  YMMV of course.  

        I can't presume that you (or anyone else)  share my values
        regarding system resilience.  For me, the choice made by
        VSGN in regards to this zone presuposes bullet-proof and DDOS
        proof communications between servers.  No packet overloads,
        no out of memory conditions, no link saturation, etc.  I
        appreciate that some might think they live in such a world.
        I hope that you and VSGN are lucky.  As for myself, I'm 
        making plans to have more control over my DNS verification
        destiny.   

        If this "proves" my case to you, wonderful! If not, no sweat,
        we'll agree to disagree.

--bill

Current thread:

.gov DNSSEC operational message Matt Larson (Dec 22)
- Re: .gov DNSSEC operational message Jay Ashworth (Dec 23)
  - Re: .gov DNSSEC operational message Matt Larson (Dec 26)
    - Re: .gov DNSSEC operational message Doug Barton (Dec 28)
    - Re: .gov DNSSEC operational message - picking a fight bmanning (Dec 28)
    - Re: .gov DNSSEC operational message - picking a fight Doug Barton (Dec 28)
    - Re: .gov DNSSEC operational message - picking a fight Tony Finch (Dec 29)
    - Re: .gov DNSSEC operational message - picking a fight bmanning (Dec 29)
    - Re: .gov DNSSEC operational message Jay Ashworth (Dec 28)
    - Re: .gov DNSSEC operational message Robert E. Seastrom (Dec 29)
    - Re: .gov DNSSEC operational message Tony Finch (Dec 29)
    - Re: .gov DNSSEC operational message Valdis . Kletnieks (Dec 29)
    - Re: .gov DNSSEC operational message bmanning (Dec 29)
    - Re: .gov DNSSEC operational message Tony Finch (Dec 30)
    - Re: .gov DNSSEC operational message Jay Ashworth (Dec 30)

(Thread continues...)