[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: SO vs DNSSEC

To: "Olaf M. Kolkman" <olaf@NLnetLabs.nl>, IETF DNSEXT WG <namedroppers@ops.ietf.org>
Subject: Re: SO vs DNSSEC
From: Mike StJohns <Mike.StJohns@nominum.com>
Date: Wed, 06 Dec 2006 16:08:52 -0500
Delivery-date: Wed, 06 Dec 2006 21:09:31 +0000
Envelope-to: namedroppers-data@psg.com

At 03:29 PM 12/6/2006, Olaf M. Kolkman wrote:

Anyway, this all boils down to the blunt question: Should we flush
all DNSSEC-bis work and put our bet on SO?


Um... no - and I hope no one thought I was recommending this.

(And isn't DNSSEC 4033-35 + NSEC3 DNSSECtris? :-) )

SO builds on PNE DNSSEC. The deployment model *is* different thoughand may be more attractive to both some zones and some end-users. SOcan use PNE signed zones and trust anchors. In some ways SO could beconsidered more as competition for NSEC3 than for PNE (as describedin 4033-4035).

PNE does provide specific functionality that SO does not - I don'tdispute that. If 4033-35 had been the end of it and fielding hadcommenced, SO wouldn't have been written for years if ever. But wehave NSEC3, we have the issues for trust anchor rollover and we havethe general issues with how to deploy a given trust anchor in thefirst place as still outstanding issues. I expect as PNE is fieldedmore things will crop up - it's the nature of the beast. Some ofthese may be show stoppers - I would hope not, but blind faith thatthere will be only good outcomes is not really a good engineering principle.

In the meantime, SO may be a viable alternative for applicationdevelopers and service providers that don't at this time see arequirement for PNE and do see a possible benefit from signed DNSdata. If PNE does end up getting deployed widely, an SO zone canbe converted into a PNE zone rather quickly - as can an SO-awareapplication be converted into a PNE aware one. It's even possiblethat SO-aware applications might encourage the deployment of PNE zones.

For PNE vs SO - most of the development work is at the applicationrather than the server - and that work has generally been lackingwhile the IETF tries to get the server side correct. Anybody whowants to use SO is going to have to think about application use ofsigned data. Once you do this, adapting an SO application to PNEstatus is relatively simple.

In any event, I wouldn't at this time recommend stopping furtherdevelopment on PNE related DNSSEC items - but ask me again in 2 years. :-)


Mike


--
to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/namedroppers/>

Prev by Date: Re: brain cycles of the WG
Next by Date: Re: Pimping DNSSEC (was Re: DNSSEC - Signature Only vs the MX/A issue.)
Previous by thread: SO vs DNSSEC
Next by thread: Re: SO vs DNSSEC
Index(es):
- Date
- Thread