ietf
[Top] [All Lists]

Re: [dane] Last Call: <draft-ietf-dane-protocol-19.txt> (The DNS-Based

2012-04-25 13:33:36
On Wed, Apr 25, 2012 at 11:15 AM, Andrew Sullivan
<ajs(_at_)anvilwalrusden(_dot_)com> wrote:
On Wed, Apr 25, 2012 at 09:52:39AM -0400, Phillip Hallam-Baker wrote:

dependency on the DNSSEC trust chain despite the easily observed fact
that less than 97% of DNS resolvers will pass anything other than
A/AAAA and CNAME records.

I'm having a hard time understanding that sentence.  Could you
clarify, please:

A.  Fewer than 97% of DNS resolvers can pass anything other than
A/AAAA and CNAME, which means something more than 3% of resolvers pass
only A/AAAA and CNAME.

   This is what I _think_ you mean, which means that n% > broken
   resolvers > 3%, right?  If so, I'd like a citation, though it
   doesn't sound wrong to me.  That we'd have something on the order
   of 3% of the software deployed everywhere on the Internet be
   broken ought to be completely unsurprising.

That was what two independent studies that were input to the CABForum
revocation Workshop found. One was by Comodo, the other I am not sure
what the citability status would be.

The Comodo study was obtained by hooking the OCSP validation call in a
very large number of browsers for over a week. I will see if it could
be submitted as a draft as such studies can be useful.


B.  97% of the DNS resolvers is the most that has ever been observed
working according to specification, and the number may be much lower.

   This is the rhetorical point I think might be read in.  In this
   case, I think a citation is in order.

Unfortunately this is also the case since we were merely looking for
support for TXT records. So I would expect to see an even higher rate
of stripping for DNSSEC records.

-- 
Website: http://hallambaker.com/

<Prev in Thread] Current Thread [Next in Thread>