On 2/23/12 8:48 PM, "vinny_abe...@dell.com" <vinny_abe...@dell.com> wrote:
> I kind of had the same thought... If ISC had a DNS outage due to expired > signatures of a zone, what chance do I have in successfully deploying and > maintaining DNSSEC for my zones? Sure, everyone makes mistakes, but I think it > speaks volumes to the inherent complexity and the further need for simplifying > the maintenance of signed zones. I know that progress is continually being > made on this front and I think others agree... Just pointing it out again. I > have nothing against DNSSEC, personally. I'd love to deploy it. I just don't > have the time to maintain it or worry about maintaining it right now. Much agreed, though I want to point out that you should only generally deploy DNSSEC (or any new technology?) if the benefit outweighs the cost. Adopting new technology "just because" usually leads to trouble (or overworked admins that give up and go elsewhere). What's the potential risk to your organization if the mythical "determined attacker" is able to negatively or positively spoof resource records under your control? Maybe not much for you, maybe millions for financial orgs. If the potential cost to the organization is high enough... It will justify paying a team of folks to maintain DNSSEC. :-) That said, I too look forward to a day when security is easier and more automatic. Much progress has been made, and I have high hopes and faith in ISC and the DNS community at large. http://www.jnd.org/books.html -- Time is the coin of your life. It is the only coin you have, and only you can determine how it will be spent. Be careful lest you let other people spend it for you. -- Carl Sandburg _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
