[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Back to Ohta's old proposal (Was: DNSSEC - Signature Only vs the MX/A issue.
Mike StJohns wrote:
> ~1992-3 - TIS submitted a proposal to ARPA for research in this
> area - a 3+ year contract (or maybe a task order against an
> existing contract) was awarded.
It maybe the reason why TIS's proposal was chosen without any
real (Paul's confusion on my proposal is an evidence) discussion.
Stephane Bortzmeyer wrote:
>>the working group refused to consider a simpler design that lacked,
>>among other things, secure nxdomain. masataka ohta wrote up a
>>viable proposal 11 years ago
> Thanks to the archaeologist Ed Lewis, I've read this draft and I'm
> puzzled: it does cover PNE for domains, with the ZL record (and PNE
> for types with the RRD record).
Yese, it does everthing DNSSEC does. The difference is that my
proposal avoided, by design, all the gotchas related to CNAME, glue,
UDP size overflow and so, most of which was confirmed with an
implementation.
OTOH, TIS's proposal was not implemented and was claimed to have
some minor features intentionally missing from mine, all of which
is useless/harmful/impossible and was, later, dropped.
> Ohta's proposal does not seem to be SO
> and therefore does not seem to be a direct competitor of St John's.
It's trivially easy to add my propoal some record that a zone does
not support ZL.
However, even though my proposal makes more simpler to
implement, deploy and operate, the real problem of DNSSEC is
that it is merely weakly secure.
That is, if you can blindly believe that all the namesever
operators between you and your peer are secured, you can blindly
believe that all the ISPs between you and your peer are secured.
Masataka Ohta
--
to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/namedroppers/>