Re: IESG feedback on dnsext-ad-is-secure

[Robert Elz <kre@munnari.OZ.AU>]

    Date:        Fri, 14 Jun 2002 09:34:20 -0400
    From:        Edward Lewis <edlewis@arin.net>
    Message-ID:  <a05111b02b92f99fff290@[192.149.252.173]>

  | In any case, I feel that it should be up to the configuration process 
  | to only admit servers (eg to /etc/resolv.conf) that are 
  | known/detected to be properly configured to return satisfactory 
  | answers.

Like I turn up to an IETF meeting and my laptop somehow (how?)
determines that the DNS back ends that the DHCP server tells me to
use are inappropriate, and throws them away?

How?   And what does it replace them with?

And worse, how does all this work with the still yet to be determined
IPv6 stateless DNS back end discovery algorithm?   Especially if
the "just use an anycast address" advocates manage to get their way.
How can one possibly tell if the server that will happen to respond to
a particular anycast address right now is one of the "properly configured"
ones or not?

  | I should clarify.  The AD bit, showing up in dig was examined not for 
  | the benefit of the stub resolver, but to see if the back end did its 
  | job.

Ah, OK, yes, I certainly agree that if that turned out to be the only
possible use of the thing, then deleting it would be the right thing
to do (and that would be true, even if logging hadn't improved...)

kre


--
to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/namedroppers/>