From owner-freebsd-arch Mon Feb 19 17:38:57 2001 Delivered-To: freebsd-arch@freebsd.org Received: from smtp02.primenet.com (smtp02.primenet.com [206.165.6.132]) by hub.freebsd.org (Postfix) with ESMTP id 445EB37B401 for ; Mon, 19 Feb 2001 17:38:52 -0800 (PST) Received: (from daemon@localhost) by smtp02.primenet.com (8.9.3/8.9.3) id SAA05583 for ; Mon, 19 Feb 2001 18:32:39 -0700 (MST) Received: from usr05.primenet.com(206.165.6.205) via SMTP by smtp02.primenet.com, id smtpdAAAM1aO0k; Mon Feb 19 18:32:34 2001 Received: (from tlambert@localhost) by usr05.primenet.com (8.8.5/8.8.5) id SAA04793 for arch@freebsd.org; Mon, 19 Feb 2001 18:38:44 -0700 (MST) From: Terry Lambert Message-Id: <200102200138.SAA04793@usr05.primenet.com> Subject: Re: DJBDNS vs. BIND To: arch@freebsd.org Date: Tue, 20 Feb 2001 01:38:44 +0000 (GMT) In-Reply-To: <20010219104338.B98114@danp.net> from "Dan Peterson" at Feb 19, 2001 10:43:38 AM X-Mailer: ELM [version 2.5 PL2] MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-arch@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG > I'm on the list. Please direct replies accordingly. Please set the Reply-To:; it's a lot of work to send only to the list. 8-). > > Hmm. Dynamic DNS sounds like it might be in the IETF standards track, > > actually. Please take a look at RFC 3007. > > That doesn't mean it's not a hack. Would RFC 2317 > be around if BIND wasn't? I don't > see any RFC's specific to Sendmail's sendmail.cf format (and subsequent > "standards track" documents to get around its deficiencies). It doesn't matter if it's a hack or not (I happen to think it isn't, and supported it in the DNSEXT working group, along with Paul Vixie and others who I would not casually dismiss). If it is a standard, it is a standard, and it should be implemented, or your software is non-compliant. The reason for standards is so that we can assume a minimum level of functionality between peer implementations. It's an issue of interoperability, and playing nice with others. The IETF is, and has always been, about "rough consensus and working code". Subjective value judgements like "pretty" or "ugly" really don't enter into it. One of my favorite ways of restating Occam's Razor is "anything that works is better than anything that doesn't". > > Name servers are welcome to implement whatever certification process > > they'd like: it doesn't have to include the DNS root, it's welcome to > > include peers, etc. Many people are critical of the DNSsec root model, but > > you're not forced to use that. > > If it doesn't start at the roots, what good is it? Sure, you can make sure > records within your own zones are "secure," but that's pretty much a given > anyway. What about results from recursive queries to the Internet? DNSSEC is > meaningless unless it goes from the roots up. Aren't you one of those PGP signature users? 8-). Seriously, if it's not possible to route around NSI's damage, then the system needs a redesign. DJB's design is subject to the same damage (ignore the license issue, and assume free implementations of his design were available). The idea of a hierarchy with one true root implies that the holder of that root (if there is a holder) wields power over the rest of the hierarchy, deserved or not. Terry Lambert terry@lambert.org --- Any opinions in this posting are my own and not those of my present or previous employers. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-arch" in the body of the message