Re: ETSI on Minimum Requirements for European ENUM Trials
- Date: Fri, 25 Oct 2002 10:35:38 +0100
All,
I'm a little confused. I've got the impression we are discussing DNSSEC and
a couple of other subjects (IPv6...) in relation to three different
contexts: ETSI document on the minimum requirements, ENUM trial national
implementation and finally ENUM commercial phase. This does not help the
discussion.
The aim of the ETSI document is to propose a MINIMUM set of requirements
that can facilitate interoperability and interworking of ENUM national
trials in Europe. The ETSI document is just about trial and
interoperability and nothing more.
My take is that DNSSEC is not a MINIMUM requirements for trial
interoperability so it should not be recommended in the ETSI document (I
would say it's the same for IPv6). The support of DNSSEC or other
mechanisms to prevent spoofing is a national matter for each trial. The
decision of supporting DNSSEC in the trial has also to take into account
some practical aspects (e.g. costs, timeframe, extra complexity, etc...)
that
are likely to be different from country to country. It would be interesting
to have some trials (or portion of the same trial) with DNSSEC and others
without and then compare the results/feedbacks
For the ENUM commercial phase I would say it's to early to take any final
decision. Let's focus on the trials for the time being.
marco
----- Original Message -----
From: "Jim Reid" <Jim.Reid@localhost
To: "Richard Shockey" richard@localhost
Cc: "David Conrad" <david.conrad@localhost; "Stastny Richard"
<Richard.Stastny@localhost; enum-trials@localhost
Sent: Thursday, October 24, 2002 19:09
Subject: Re: ETSI on Minimum Requirements for European ENUM Trials
> >>>>> "Richard" == Richard Shockey richard@localhost writes:
>
> >> Although the ENUM and DNSSEC protocols are orthogonal, the
> >> fact is they will need to be joined at the hip before
> >> production ENUM services can start.
>
> Richard> We are going to have to agree to disagree here. I am not
> Richard> convinced of this at all and the suggestion continues to
> Richard> make me nervous.
>
> Your disagreement is making me nervous! By pushing back on DNSSEC, you
> appear to be implying things which scare me. Either there's no risk
> from DNS spoofing under e164.arpa or else there's something other than
> DNSSEC that will prevent spoofing or the consequences of that spoofing
> don't matter. Please tell me it isn't so.
>
> I would be glad to hear of some way of countering DNS spoofing attacks
> -- in general, not just for ENUM -- so if you have ideas on how to do
> that without requiring DNSSEC, I would very much like to know more
> about them.