[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [idn] New protocol proposal: IDNRA
- To: Bill Manning <bmanning@ISI.EDU>
- Subject: Re: [idn] New protocol proposal: IDNRA
- From: John C Klensin <klensin@jck.com>
- Date: Mon, 28 Aug 2000 06:53:39 -0400
- Cc: idn@ops.ietf.org
- Delivery-date: Mon, 28 Aug 2000 03:53:43 -0700
- Envelope-to: idn-data@psg.com
--On Sunday, 27 August, 2000 21:14 -0700 Bill Manning
<bmanning@ISI.EDU> wrote:
> We have some metrics on diffusion rates of new code
> in the DNS. If significant vulnerabilities exist,
> they are generally mitigated in about 18 months, at least
> based on current data.
Once again, the issue is really not the DNS, but the
applications. And that is true independent of the solution
chosen unless the entire path from UI to APIs to resolver is
completely insensitive to the presence of names outside the
traditional format and set of characters. This is not an
argument against moving forward as quickly as possible; it is an
argument against selecting any solution that depends on a "short
period of pain, then everything will be ok" model.
That said, would you care to define "significantly mitigated" in
statistical or loss function terms. We _know_ that new versions
of popular servers and resolvers don't deploy that quickly: as
has been pointed out, we've still got versions of
vendor-provided BIND 4 in moderately wide use. How would you
characterize, based on the data you have available, the
percentage penetration of the new/ fixed code? The percentage
weighted by resolution activity rate? Penetration at the upper
levels of the tree (e.g., 2nd - 4th level domains) versus lower
down? Penetration inside and outside enterprise networks? And
so on?
john