[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: revised Proposed Charter
- To: <ietf-mailsig@xxxxxxx>
- Subject: Re: revised Proposed Charter
- From: "Arvel Hathcock" <arvel@xxxxxxxx>
- Date: Wed, 27 Jul 2005 23:00:23 -0500
- Dkim-signature: a=rsa-sha1; c=nowsp; d=altn.com; s=c3po; l=2888; t=1122523235; x=1123128035; firstname.lastname@example.org; q=dns; h=DomainKey-Signature: Received:Message-ID:From:To:References:Subject:Date:MIME-Version: Content-Type:Content-Transfer-Encoding:Reply-To; b=FN5/lKxwtGmgvN 0dn3K4jx/ER/nJXVVQONn2cIzTBaKkMxfw1Y/VaSGJL+FJpCntX+7s7Yo+fcmAIZ tCginTbx4PeZslvZbeoNW5kJzRtEMKoi/gZ1p54BIRtLGsHoGJRPfQ2A0VYRNm9t JxhC6hle7oqt3Y77nhVbCDZUG5DDA=
- Domainkey-signature: a=rsa-sha1; s=c3po; d=altn.com; c=nofws; q=dns; h=from:message-id; b=hNO3kkb7IVDFHSacCgF+cFGxqtb7p0XNRl9N4DPCp2xQya7TugUOvXH6cETQP3Fwv5+sxngtfpf0IiIimC9RVqZz7yoLcsUL6ajOHqbgiO5stfTdr3e4ua2zTY9Nt27/K0IDoWBxK2vSDKUnOKya7aCe5tqDFGnMOiMPCdDe0f8=;
- List-archive: <http://www.imc.org/ietf-mailsig/mail-archive/>
- List-id: <ietf-mailsig.imc.org>
- List-unsubscribe: <mailto:email@example.com?body=unsubscribe>
- References: <> <> <> <> <>
- Reply-to: arvel@xxxxxxxx
- Sender: owner-ietf-mailsig@xxxxxxxxxxxx
OK, that's a good response and making some fine points.
Just to clarify, I did not assert that there were millions of DK records. I
said "millions of SPF and DK" meaning taking them both together.
----- Original Message -----
From: "william(at)elan.net" <william@xxxxxxxx>
To: "Arvel Hathcock" <arvel@xxxxxxxx>
Sent: Wednesday, July 27, 2005 10:28 PM
Subject: Re: revised Proposed Charter
On Wed, 27 Jul 2005, Arvel Hathcock wrote:
I should like to ask how querying for TXT records constitutes "using DNS
in an incorrect manner".
TXT was an extra record not really for formal "protocol" use, basicly a
commentary field. Correct way in DNS is to have RR for specific use.
I would also like to understand how DNS software,
answering queries for TXT records regularly thereby specifically
functioning as documented, can possibly be construed as "designed
for a different reason".
You're thinking of software, I'm talking about protocol. DNS protocol
was designed for providing link between domain names and internet routing
system. Its kind of low-level protocol "under" all other application
protocols but not actually directly part of routing layer.
Can you further explain on what ground I should feel justified in second
guessing the work product of the DNS effort and instead believe you when
You should not believe me, you should read DNS RFCs and DNS drafts, some
of which I've noted (those by IAB), you should further ask this question
you say that, despite the fact that DNS is advertised to work one way by
those who created and endorsed it
It is in fact that design that makes putting public key in dns an issue.
The designers did not really see DNS as appropriate for that kind of work.
But why don't you ask designers yourself - namedroppers is the place.
, and despite empirical evidence to the contrary as evidenced by millions
of SPF and DK records currently extant, nevertheless, DNS can't do the job
and we should move on to something else.
First of all there are no millions of DK records, the number is likely
in order of several thousands (Wayne - was doing testing, he can probably
tell for certain). And as far as SPF, almost all SPF records are small -
not at all like DK would be. That does not mean I'm in favor of how SPF
also abuses TXT, specific RR for it should have been used and I'm not
at all sure that having mail policies in dns is right way to go long-term
(special policy server would have been better, but such did not happen).
Having something tested and it works for you, does not necessarily means
its right way for entire internet architecture, that is why there is a
standards body like IETF that can do cross-area review and IAB.
It's one thing to put a warning that dns-based key publishing may effect
the performance and stability of some DNS implementations - this is
certainly possible. It's another to try and claim that DNS itself is
insufficient to the task.
Choose your terms. I did not say it was insufficient, what I said could
amount to that it is dangerous for dns stability (and not just for
"some dns impementations") and that there are other options available
that would not have the same problem and have other benefits such as not
being constrained by patents.
As always, just my opinion. Your mileage may vary.