[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Wes Hardaker: opportunistic encryption deployment problems

To: "'Francis Dupont'" <Francis.Dupont@enst-bretagne.fr>, Hugh Daniel <hugh@road.xisp.net>
Subject: RE: Wes Hardaker: opportunistic encryption deployment problems
From: "Hallam-Baker, Phillip" <pbaker@verisign.com>
Date: Mon, 6 Aug 2001 14:07:02 -0700
Cc: wes@hardakers.net, ipsec@lists.tislabs.com
Sender: owner-ipsec@lists.tislabs.com


> => first you should complain at your provider provider. I don't know
> the rules for ARIN but in Europe RIPE rules are clear: someone can get
> some address space only if it manages the reverse map and delegates
> it with parts of its address space. Of course  RFC 2317 is not easy
> so even this kind of rules doesn't provide always a solution...

Support for reverse DNS lookup for current purposes (limited debugging)
should not be conflated into support for a dependable service with 
arbitrary extensions added in to support specific applications.

In particular reverse DNS is not much use when the target does not
have a DNS address. This is the case for the vast majority of DCHP
hosted home Internet hookups.

I *like* my 10Mb/s cable modem into my house, particularly since I
am the only person on my loop. If you want people to use your technology
best design it arround their constraints.


>  Second point, when DNSSEC will be deployed it should be available
> for reverse maps first because today reverse maps are broken , nobody
> shall rely on them so they are free for experiments or an "all  or
> nothing" use (DNSSEC should become a part of the "all" in this view).
> Don't forget direct maps are for  NICs/RIRs clients and reverse maps
> are for operators/ISPs which should have the technical skill and
> a very different relationship with NICs/RIRs.
> Concretly, there are some deployment efforts from various NICs/RIRs
> and we can expect some results one day.

I would not rely on any outcome being achieved as a byproduct of 
DNSSEC. DNSSEC has too many deployment obstacles of its own making
to overcome without being given the task of putting other parts of 
the world to right on the way.

Persuading people to use a new DNS system that requires more public
key operations than SET to validate a single domain name is challenging
enough without making its use dependent on reverse DNS being deployed.


		Phill

Phillip

Follow-Ups:

Re: Wes Hardaker: opportunistic encryption deployment problems

From: Francis Dupont <Francis.Dupont@enst-bretagne.fr>

RE: Wes Hardaker: opportunistic encryption deployment problems

From: Henry Spencer <henry@spsystems.net>

Prev by Date: Re: RE: Position statement on IKE development
Next by Date: Re: opportunistic encryption deployment problems
Prev by thread: RE: Wes Hardaker: opportunistic encryption deployment problems
Next by thread: Re: Wes Hardaker: opportunistic encryption deployment problems
Index(es):
- Main
- Thread