----- Original Message -----
From: "Mark Andrews" <marka@isc.org>
[ vix: ]
meanwhile isc continues to push for ubiquitous dnssec, through to the stub, to take this issue off the table for all people and all time. (that's "the real fix" for nxdomain remapping.)
You really believe that the outcome of that will be "we can't make some extra revenue off NXDOMAIN remapping because of DNSSEC? Well, the hell with DNSSEC, then"?
People will route around ISP that do stupid things. They do so today. When your browers supports DANE there will be more incentive to ensure that DNSSEC does not break and more incentive to route around ISP's that do break DNSSEC.
My personal reaction to that, Mark, is to say that you *badly* overestimate the average Internet end-user (who make up, roughly, 80% of the endpoints, in my jackleg estimation).
Even a ISP that is redirecting on NXDOMAIN wants to be sure that it is a real NXDOMAIN not one that is spoofed do the path to the ISP's resolver will be DNSSEC clean and they will be validating.
I'm not sure I understood that...
Until stub resolvers set DO=1 pretty much ubiquitously this won't be a problem for ISP's that want to do nxdomain redirection. There still plenty of crappy DNS proxies in CPE routers to be replaced before you can just set DO=1 as a default without worrying about breaking DNS lookups. Even setting EDNS as a default is a issue.
...but that's probably because I don't understand DNSSEC well enough.
That said we are starting down the long path to making it EDNS a default. DiG in BIND 9 defaults to using EDNS and "dig +trace" turns set DO=1 as well. You don't get things fixed if the breakage is not visible.
We may be talking about different breakage here... Cheers, -- jra -- Jay R. Ashworth Baylink jra@baylink.com Designer The Things I Think RFC 2100 Ashworth & Associates http://baylink.pitas.com 2000 Land Rover DII St Petersburg FL USA http://photo.imageinc.us +1 727 647 1274