Date: Tue, 20 Feb 2001 01:38:44 +0000 (GMT) From: Terry Lambert <tlambert@primenet.com> To: arch@freebsd.org Subject: Re: DJBDNS vs. BIND Message-ID: <200102200138.SAA04793@usr05.primenet.com> In-Reply-To: <20010219104338.B98114@danp.net> from "Dan Peterson" at Feb 19, 2001 10:43:38 AM
next in thread | previous in thread | raw e-mail | index | archive | help
> I'm on the list. Please direct replies accordingly. Please set the Reply-To:; it's a lot of work to send only to the list. 8-). > > Hmm. Dynamic DNS sounds like it might be in the IETF standards track, > > actually. Please take a look at RFC 3007. > > That doesn't mean it's not a hack. Would RFC 2317 > <URL:http://www.ietf.org/rfc/rfc2317.txt>; be around if BIND wasn't? I don't > see any RFC's specific to Sendmail's sendmail.cf format (and subsequent > "standards track" documents to get around its deficiencies). It doesn't matter if it's a hack or not (I happen to think it isn't, and supported it in the DNSEXT working group, along with Paul Vixie and others who I would not casually dismiss). If it is a standard, it is a standard, and it should be implemented, or your software is non-compliant. The reason for standards is so that we can assume a minimum level of functionality between peer implementations. It's an issue of interoperability, and playing nice with others. The IETF is, and has always been, about "rough consensus and working code". Subjective value judgements like "pretty" or "ugly" really don't enter into it. One of my favorite ways of restating Occam's Razor is "anything that works is better than anything that doesn't". > > Name servers are welcome to implement whatever certification process > > they'd like: it doesn't have to include the DNS root, it's welcome to > > include peers, etc. Many people are critical of the DNSsec root model, but > > you're not forced to use that. > > If it doesn't start at the roots, what good is it? Sure, you can make sure > records within your own zones are "secure," but that's pretty much a given > anyway. What about results from recursive queries to the Internet? DNSSEC is > meaningless unless it goes from the roots up. Aren't you one of those PGP signature users? 8-). Seriously, if it's not possible to route around NSI's damage, then the system needs a redesign. DJB's design is subject to the same damage (ignore the license issue, and assume free implementations of his design were available). The idea of a hierarchy with one true root implies that the holder of that root (if there is a holder) wields power over the rest of the hierarchy, deserved or not. Terry Lambert terry@lambert.org --- Any opinions in this posting are my own and not those of my present or previous employers. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-arch" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200102200138.SAA04793>