[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Wes Hardaker: opportunistic encryption deployment problems
In your previous mail you wrote:
To answer Mr. Hardaker, we understand the problem with requiring the
data be in the reverse DNS space and considering a forward space
solution, but there are many folks who have no control over even their
forward space.
Wes Hardaker's orginal (partial) message:
3 problems I see with the deployment of opportunistic encryption:
1) your method of obtaining information is by reverse DNS lookup,
which will provide problems with people who can't control their
reverse DNS bindings. As an example, I don't have control over the
subnet mapped to my house and can not insert information into the
controlling DNS server (and can not convince them to redirect to
me).
=> first you should complain at your provider provider. I don't know
the rules for ARIN but in Europe RIPE rules are clear: someone can get
some address space only if it manages the reverse map and delegates
it with parts of its address space. Of course RFC 2317 is not easy
so even this kind of rules doesn't provide always a solution...
Second point, when DNSSEC will be deployed it should be available
for reverse maps first because today reverse maps are broken , nobody
shall rely on them so they are free for experiments or an "all or
nothing" use (DNSSEC should become a part of the "all" in this view).
Don't forget direct maps are for NICs/RIRs clients and reverse maps
are for operators/ISPs which should have the technical skill and
a very different relationship with NICs/RIRs.
Concretly, there are some deployment efforts from various NICs/RIRs
and we can expect some results one day.
Regards
Francis.Dupont@enst-bretagne.fr
References: