On Oct 20, 2013, at 2:16 PM, Vernon Schryver <v...@rhyolite.com> wrote: > Should the people working on DNS implementations prioritize making > their DNSSEC code more robust and easier to use above or below > addressing your issues?
I'd say "below". Resolver operators (hopefully) want to protect their caches. DNSSEC will do that, but only if people are signing their zones. There are lots of external parties (e.g., registries, registrars, software developers, resolver operators, etc) to get DNSSEC deployed and there remains very little incentive for anyone to sign their zones, regardless of how robust and easy it might be made. The alternative would be to disregard current and future cache poisoning attacks. Pragmatically speaking, I personally think it highly questionable to ignore cache poisoning vulnerabilities because something which isn't yet deployed to 10% of the Internet will fix it. This would be a bit like saying "don't deploy RRL because BCP38 is the correct answer to the problem". > Your work would be valuable if it helped pressure people to get busy on > DNSSEC. Seems to me the work they have done is valuable, regardless of DNSSEC. Regards, -drc
signature.asc
Description: Message signed with OpenPGP using GPGMail
_______________________________________________ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
