You are here: Home > Participate > Join a Discussion > Mailman Archives
<<< Chronological >>> Author Index    Subject Index <<< Threads >>>

Re: ETSI on Minimum Requirements for European ENUM Trials

  • To: Jim Reid < >
    "Stastny Richard" < >
  • From: Richard Shockey < >
  • Date: Wed, 23 Oct 2002 15:20:07 -0400

At 11:54 AM 10/23/2002 -0700, Jim Reid wrote:
>>>>> "Richard" == Stastny Richard <Richard.Stastny@localhost writes:

    Richard>    It has to be discussed if WHOIS (or a comparable
    Richard> protocol/ information query method) is needed in
    Richard> production, but i consider it to be useful during trials.

I'm not convinced whois is relevant, desirable or necessary for ENUM
at all.
Who is for technical contact data ... I'm almost convinced this is a requirement.

ENUM trials present the perfect opportunity to look at the issues
surrounding the deployment of DNSSEC. [Nobody has done this, so any
claims DNSSEC is "way off the current state" are not based on hard
facts or real-world experience. The truth is nobody knows either way
because DNSSEC hasn't been deployed beyond trivial proof-of-concept
setups.] The reality is DNSSEC exists and works.
So why isnt .COM .NET and .ORG signed? .UK .DE .US ??? Jim,we both know the answer.

I totally reject the notion that at this stage of DNSSEC deployment and development it should be a requirement of any ENUM trial. Maybe at some later date...

 It can verify answers
from the DNS are the truth, the whole truth and nothing but the
truth. Deployment is another story because the problems of key
management, signing policies, key lengths, signature expire times, key
rollover and so on are not understood for non-trivial zones in a
production setting. And of course these problems won't get tackled
because nobody wants to experiment with significant production data,
like a TLD zone for example.
NO ... its probably talking out of class for here but IMHO it is WAY WAY to early to even suggest DNSSEC as part of any TRIAL... where are the client support MS?

ENUM trials present the perfect way to look at this stuff without
breaking production services. This will tell us if DNSSEC is actually
deployable or not. That is a valuable learning exercise in its own
and grossly complicate the basic ENUM services trial itself IMHO.

 And if DNSSEC can be deployed, the experience from a trial will
give incredibly valuable insight into how to handle things like key
management and so on. Oh, and using DNSSEC would not affect ENUM users
or applications that don't bother to check the signatures: they won't
even see the crypto gunk if they follow RFC3225 (as they should).

BTW, development of the DS record has generally been accepted by the
IETF DNS & security experts as making DNSSEC much easier to deploy. So
this technology is a lot closer to prime time than some people seem to
think. It will be better to test DNSSEC deployment in a trial setting
than try to figure out how to deploy it for a production ENUM service
in N month's time that will *have* to use it.
Who says any one will "have" to use it in a production service. Again this is a highly premature and speculative discussion.

    Richard>    "Bind version 9.1 _should_": DON'T require specific
    Richard> software versions. Bind 9 is much slower than Bind 8 and
    Richard> (imho) overfeatured for production use. For that reason,
    Richard> Bind 8 is still the most widely used Name server.

This is misleading or incorrect. First of all BIND9 is fast enough for
just about everybody. It's not yet fast enough for a root server that
gets 5-10k queries a second (sustained) unless it runs on really fast
hardware. But no other name servers ever get near that level of
traffic, except for things like DoS attacks which BIND8 wouldn't be
any better at surviving than BIND9.
Yes .. I still agree that using BIND 9+ is a good requirement.

The main reason BIND9 is not widely used is that few UNIX vendors ship
it with their OS yet. This is hardly surprising given the lead times
vendors have for distributing their system software. IIRC one major
vendor has just got around to stop shipping BIND4 with their OS! The
next reason people don't use BIND9 is it's much stricter at demanding
syntatically correct zone files. So rather than fix their broken zone
files, many DNS administrators stick with older code that tolerates
and encouarges those errors.
Excellent points...

    Richard>    What were the reasons to require Bind 9.1?

    Richard>    Stastny: The reason for 9.1 was mainly DNAME.

BIND9 also has a working IXFR. This will be very useful when
propagating small changes for huge zones to their slave servers.
Yes excellent point again...

Richard Shockey, Senior Manager, Strategic Technology Initiatives
NeuStar Inc.
46000 Center Oak Plaza  -   Sterling, VA  20166
Voice +1 571.434.5651 Cell : +1 314.503.0640,  Fax: +1 815.333.1237
> or <
> <> ; <> <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<

  • Post To The List:
<<< Chronological >>> Author    Subject <<< Threads >>>