[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [idn] Re: Optional & Additional Character Equivalence Preparations by Zone
For the same reasons as the thread on CDN, (ie, not of core interest),
this thread is also out of scope so please bring it offline. I already
give you my comments offline.
Thanks!
-James Seng
----- Original Message -----
From: "Edmon" <edmon@neteka.com>
To: "Erik Nordmark" <Erik.Nordmark@eng.sun.com>
Cc: "Patrik Fältström" <paf@cisco.com>; "Masahiro Sekiguchi"
<seki@jp.fujitsu.com>; "IETF-IDN" <idn@ops.ietf.org>
Sent: Friday, January 25, 2002 12:14 AM
Subject: Re: [idn] Re: Optional & Additional Character Equivalence
Preparations by Zone
> ----- Original Message -----
> From: "Erik Nordmark" <Erik.Nordmark@eng.sun.com>
> > If the DNS servers don't care about potential DoS attacks and having
> on-line
> > keys then signing on the fly could work. But that is a huge "if".
> > The DoS attack is that anybody can send DNS queries to have the DNS
server
> > spend all its CPU generating signatures on the fly.
> > Sure sounds like a bad design from a security and robustness
perspective.
> >
> Which is why I said it is not advisable. But it is a possibility.
>
> > I don't understand what "opt-in" has to do with IDN. Could you
please
> explain?
>
> Multilingual names that have character equivalency issues will have to
> opt-out of DNSSEC.
>
> > Your third idea (SIG RRs for all permutations) has a natural
follow-on:
> > If you have enough memory/storage for the large SIG RRs for all
> permutations
> > then the additional memory/storage for the underlying RRs for all
> permutations
> > will be very small. So in practise this sounds like creating all
> permutations
> > in the zone file e.g. at registration time.
> > That (or just a subset of all permutations picked at registration
time)
> has the
> > benefit of not requiring any changes to the DNS server software.
>
> Erik, honestly, I dont have the exact "best" solution yet. My point
is that
> there are "possibilities" and we should not rule the entire thing out
just
> because it might be a bit difficult. I really want to stop talking
about
> this subject on this list, but it seems to me very irresponsible,
especially
> considering that I am an implementor of this technology that I would
have to
> tell my customers that:
> A.example is NOT the same as A.example
> How can I do that? Any normal person in this world would not accept
this,
> yet I am creating a system that force them to accept that. I could
step
> back and say, "o well, buyers beware", but it just doesnt seem right.
Do
> you think it is right?
>
> Edmon
>
>