On Mon, 4 Oct 2004, John Levine wrote:
Hmmn. We can't even get people to deploy a new DNS record type within
an existing well defined spec, and you're proposing a new scheme, ...
Thats because it means upgrading their DNS server, something no one
wants to do.
I look forward to learning why installing a new service which requires
upgrades to firewalls and NAT is easier than upgrading a DNS server.
I agree that people are reluctant to upgrade a DNS server, but they
seem to me far more reluctant to add a new server with unknown loads
and unknown security issues.
DNS-based call-back verification services do not require a DNS server
upgrade. All you need to do is install the stunt DNS server alongside your
existing DNS infrastructure and arrange for the appropriate NS delegation.
DNS comes with a lot of desirable infrastructure, most of which would have
to be duplicated by an alternative UDPCBV service -- especially cacheing,
service advertisement, and (eventually) cryptographic security. Even in
the absence of DNSSEC there is a lot of knowledge about DNS security which
would not necessarily apply to a new service.
I'm also very sceptical about the need for a new UDPCBV service, despite
the fact that DNSCBV is rather too clever for comfort.
Tony.
--
f.a.n.finch <dot(_at_)dotat(_dot_)at> http://dotat.at/
SOUTHEAST ICELAND: EAST OR NORTHEAST 6 TO GALE 8, INCREASING SEVERE GALE 9.
RAIN OR SHOWERS. MODERATE OR GOOD &NBSP;.