[dnssec-deployment] some observations about .SE's DNSSEC

[Paul Vixie]

> 	... If enough people complain it will be fixed.  ...

clearly you've been using hotels and WISPs who face competition, and so
they have to be responsive the the trouble reports they get.  for me, it
is never possible to switch carriers in a hotel room or coffee shop, and
there is no way to get the hotelier or barista to believe that i'm going
to take my business elsewhere because their WISP doesn't support EDNS.

> 	It would be nice if the IETF in there discussions with
> 	hotels actually stated to the hotel that we are using
> 	technology that is likely to become standard practice in
> 	the next 3 years and that it would be wise to address issues
> 	raised.

so all we have to do is hold 2,000,000 IETF meetings to get all the hotels
fixed globally?  or is there a tipping point at, say, 10,000 hotels?  :-)

> 	At the very least they should have a checkbox to disable
> 	interception on the authentication page like may do to supply
> 	a non NATed address.

if only they had to care about what they should have.  but, they don't.

> 	Good indications that it should be disabled automatically are:
> 	* TSIG signed requests.
> 	* non-recursive queries.

well, now you're into namedroppers territory, but i disagee about the TSIG
signed queries.  if i want to use TSIG signed queries from a coffee shop to
my home recursive resolver, it ought to work.  but we (significantly) digress.