On 5/21/04 12:11 AM, "Arnt Gulbrandsen"
<arnt(_at_)gulbrandsen(_dot_)priv(_dot_)no> wrote:
Bob Atkinson writes:
Yes, correct.
I suggest that this isn't a big problem. Once other OSes support DNSSEC
Windows must too, or the blackhats will start looking at attacks.
DNSSEC support requires lots of new RR types, one more for MARID won't
make a difference.
Propagating updates to any installed software, and in particular an OS
upgrade, takes years. Upgrade paths at large companies are incredibly long -
you have to have once worked at one to appreciate the incredible mire that
is the corporate upgrade process. To be two or three years behind the latest
release is not at all unusual.
Those of us supporting online services have it easy - our customers get our
upgrades whether they like it or not, when we deploy the upgrade.
Unfortunately, OS vendors don't have that luxury: any architectural mistake
(and we all make them) that escapes from Redmond is with them (and us) for
years.
We need to just accept that for anything we want widely deployed in less
than 5 years (some people yesterday were suggesting 10) , txt records are
what we have, and we need a migration strategy for the new RR. The Windows
DNS implementation is deeply broken. But we're stuck with it for now.
If I can restate the proposed TXT to RR strategy from yesterday (as best I
understand it): define the MARID data independently of the record type.
Define a new RR, and permit publishing of the MARID record in both the new
RR and TXT. Data in the new RR supercedes anything found in TXT. If this
approach works, then other working groups faced with a similar dilemma will
have an example to follow. If it fails, they'll know to try a different
migration strategy, and the Internet community will have learned something
about how to approach the RR record problem.
Does anyone know if the DNS working groups have thought about developing a
process to certify DNS implementations? That might start to address the bad
implementation problem that is at the root of the new RR issue. From the
discussions yesterday it's pretty clear that Windows is not alone in having
a less than desirable implementation.
Margaret.