Draft OpenID v.Next Discovery working group charter

Phillip Hallam-Baker hallam at gmail.com
Tue May 11 01:45:32 UTC 2010


I think it rather unlikely that DNSSEC will gain traction in its current form.

Nobody has yet proposed a mechanism for the owner of example.com to
establish their key in the example.com domain. There will be a BOF on
the subject in the next IETF.

Nor has anyone yet explained what any application or intermediate
server does when DNSSEC checks fail.

Microsoft has promised to 'support' DNSSEC at the level of being able
to sign zones and publish the signatures. But shows no sign of being
interested in using the result.

China and Russia have signed an international treaty whose provisions
make it pretty obvious that they will be blocking the ICANN root
servers.



On Mon, May 10, 2010 at 9:30 PM, SitG Admin
<sysadmin at shadowsinthegarden.com> wrote:
>>  Formally, a query that gets a cache hit is the same as one that doesn't:
>>  It is a DNS query.  The fact that the retrieval is successful at the local
>> store (cache) simply does not affect the underlying model, no matter how
>> many cross-net interactions with an actual DNS server it saves.
>
> Understood, then. So; returning to your original question, I do not know of
> any discovery mechanism *currently* under consideration, though I *do* hope
> to write a Tor plugin and submit it for inclusion once v.Next is well-formed
> enough that I can count on the specs in place staying the same long enough
> to be worth working with.
>
> Whether that would be considered *likely* to come under consideration is a
> question I cannot answer.
>
>>>  Hmm . . . but *which* DNS system?
>>
>> There's more than one?
>
> Sure! Even discounting a user's hosts file (handy for setting up test
> servers) and corporate intranets that bounce a subset of users to an address
> inside their firewall, the so-called "rogue" (because they report different
> results) domain name servers cannot be assumed to ALL have malicious intent;
> some of them might be providing an internet that runs parallel to the
> Internet most people are familiar with. Peer-to-peer DNS has also seen
> interesting ideas, and it's not as if the centralized domain name servers
> would have automatically become aware that such a thing was happening.
>
> (Many of us, finding an open port that claimed to be running DNS, might even
> think "accidental security hole" before we thought "rogue"; a
> misconfiguration of an inadequately documented alternative DNS might leave
> it claiming to be authorized by the same upstream servers we *usually* see,
> and prior to DNSSEC was there really any reliable way of noticing
> differences?
>
>>>  No domain names, or strings that look like domain names but *can't* be
>>>  looked up through the usual DNS?
>>
>> The latter exemplifies the distinction I cited, between name registration
>> -- reserving a name from the namespace -- versus doing a query using the DNS
>> protocol to a DNS server.
>
> In both cases, starting (in one case, ending) with DNS; got it so far. Could
> get confusing if some of the servers don't realize they're issuing
> contradictory responses for the *same* namespace; again, though, this is
> stepping outside of what is generally understood to be "the real world".
>
> (Could get very interesting as DNSSEC gains traction though! Precedence
> shouldn't be a problem with everyone looking at the same root servers
> (disputes settled that way), but one can easily imagine two (or more) very
> large, long-entrenched DNS systems colliding during the DNSSEC adoption,
> creating an irreconciliable conflict.) Much more likely, though, that DNSSEC
> will help prove the lack of any such things :)
>
> -Shade
> _______________________________________________
> specs mailing list
> specs at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs
>



-- 
Website: http://hallambaker.com/


More information about the specs mailing list