[Dnssec-trigger] Extracting hot-spot detection and servers probing code into a library

W.C.A. Wijngaards wouter at nlnetlabs.nl
Fri May 16 07:51:30 UTC 2014


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,

I think that the library idea is great, and I would like that.

Best regards, Wouter

On 05/14/2014 04:19 PM, Paul Wouters wrote:
> On 05/14/2014 10:09 AM, Petr Spacek wrote:
> 
>>> This can be used for a new test for
>>> https://bugzilla.redhat.com/show_bug.cgi?id=1096240
>> 
>> I think we should: - Make test names/records configurable in the
>> library. - Deploy own Fedora-sub-tree dedicated to DNS-tests. It
>> can be something like dnstest.fedoraproject.org. and put all
>> necessary records there.
>> 
>> This allows every distributor to build the library with it's own
>> set of names. This avoids single point of failure (from the
>> perspective of all library users) and removes dependency on
>> external entity.
> 
> I do not agree. The tests are carefully selected to
> 
> 1) be run against very stable zones (hence TLD sized zones)
> 
> 2) not have a privacy impact (hence TLD sized zones)
> 
> 3) not have all eggs in one basket
> 
> fedoraproject.org has already proven to be too unstable when they
> changed CA provider without updating their TLSA record after
> heartbleed.
> 
> Having different tests also means all different library users have
> their own bugs, their own false positives, and no one gets the
> advantage of new test cases found in the wild, some of which might
> be difficult to reproduce in other zones.
> 
> Paul
> 
> 
> 
> _______________________________________________ dnssec-trigger
> mailing list dnssec-trigger at NLnetLabs.nl 
> http://open.nlnetlabs.nl/mailman/listinfo/dnssec-trigger
> 

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBAgAGBQJTdcOCAAoJEJ9vHC1+BF+NYg4P/1JvVRHl89bx3reT40bFMX+5
5Hez3oVk/+wQljHRa3J/NwTQ3oKX42Y1Xvh+hQW1+DJappRBYL48cSqTQGx/hir4
SsYoj9Gu13SLANGyE9p/HKsZMabrKMaWHwNE1NlMz1J3mlLMwFaTzVO7++l9T78m
ZZ/u4Ez38wbyPFpljc7AwTUDTVHI/LT8AblcMLVzdDkxDsgJHd8cScdiRbNW/81M
m+VZDKGXnGZBV71z58p6ews0PKbibu4vIWBAtV6musEAe3UMi8iXw8hys/0yS9i6
xd0+j1OxiKBgoTvx0JNI+Dcj/vGdDJrgX/PwYnMm35cBLd+OqfYmHET35JB9Xcw9
Vv8aho4ZzN0Z5VKFHsAPJ+h5US2jJ3K9/Y/OIKk90AJiAvWhLvhnBOafMUcNbggC
aVJsYAhYSY7FO2XKNsXCsPs+YWe1q8MKA0sBXcQw1B5HWcb7jyoRL1kj4pqeNH0L
aLW7Yw0IT+Q5V6MpEDWEfRVDNdSez0pt/tryyUbKNw2b0nt3N3g/QbIe6ZyGw2Om
N5ymtm0RVQghwVGO+ksjJ7o2kTWxq/fRLP+zmJvCIIVsFAno6yYwXQNKvbZ7m+bR
9PADO0Oeg+jg3EVEywS89IYRyxO+bjrFXBlir1bdnxoOylr+Yj5auQ5YEYVqx0uq
8sYOB6kU+bHBZ2+Ddm8+
=tHg8
-----END PGP SIGNATURE-----



More information about the dnssec-trigger mailing list