On Sep 21, 2010, at 10:14 PM, Doug Barton wrote: > On 9/21/2010 7:46 AM, Kalman Feher wrote: >> It may well be analogous to that (though I disagree), but the quote does not >> substantiate why knowing public information is bad. In the example above, >> you've simply saved your switchboard and the caller some time. If you don't >> want someone to know it, don't make it public (at the very least). >> >> You'll have to accept that no matter what steps you take, your public >> information will be available to those who wish to find it. Taking steps to >> prevent that is likely to waste more of your time than it will of those >> looking. > > When this topic first came up 12+ years ago I (and others) said that DNSSEC > would never see wide deployment unless the ability to walk the zone was > eliminated. We were all poo-pooed at the time with lots of "security through > obscurity, LOL" type arguments. Development of DNSSEC specs continued to > ignore the need to eliminate zone-walking for almost a decade until finally a > consortium of folks more influential than I put their foot down and hammered > out the NSEC3 spec (abridging the history here for the sake of a good story). > > My point being, it really doesn't matter if you agree with the reasoning or > not, whether you understand the use case(s) or not, or whether you ever > deploy NSEC3 or not. The fact is that there are a non-trivial number of > organizations who will not deploy DNSSEC without it, so attempting to > convince people not to use it is pointless.
This is *very* true, and (IMO) something that I think it would be very useful for the v6 community to fully grok -- it matters not how awesome your solution is, if it doesn't do what the customer wants, they just won't deploy it.... (see the DHCPv6 discussions, etc)... W > > > Doug (... and it annoys the pig) > > -- > > ... and that's just a little bit of history repeating. > -- Propellerheads > > Improve the effectiveness of your Internet presence with > a domain name makeover! http://SupersetSolutions.com/ > > _______________________________________________ > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users _______________________________________________ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
