[Dnssec-deployment] DNSSEC aware recursive name servers

Jaap Akkerhuis jaap at NLnetLabs.nl
Sat Aug 6 05:23:10 EDT 2011

    I don't mean to come across as saying that DNSSEC's origin was this 
    and should never be changed.  I'm pointing out the original plan was 
    to be something.  If now we imagine the goal is something different 
    don't be frustrated that the extensions don't see to fit the need.

We actually had long discussions about others uses such as applications
oing some form of verification and the last mile problems but never
came to some agreement on how and what.
    This thread started with the supposition that the placement of the DS 
    record at the parent was a design flaw.  I'm pointing out that this 
    wasn't a flaw at all, it supports what the extensions were meant to 
    do.  My defense is not personal - Olafur proposed the DS record and 
    when he did I jokingly told him one of my objections is that "it came 
    from Olafur."  My defense is trying to make sure we collectively know 
    why things are the way they are and not wander off into a land of 
    folklore. The term "revisionist history" is a strong statement but it 
    kind of describes what I want to prevent.  We need to maintain an 
    accurate history, even if we re-interpret what we see.  (I looked at 
    my NANOG 19 presentation [sometime in 2000] and see places where I 
    made mistakes in explaining DNSSEC back then, because we revised how 
    we viewed it.)

To add to the history: After NLnet Labs and SIDN did a large scale
(for that time) testbed also known as the nl.nl testbed one of the
conclusions was that DNSSEC didn't scale at all. Ted Lindgreen made
some suggestions and Olafur asked whether he could mix these with
his own ideas and write it up. That became the DS proposal.

At least, this is what I remember (but don't trust my memory; it is
getting flakey).


More information about the Dnssec-deployment mailing list