> From: Daniel Kalchev <dan...@digsys.bg> > >> Have you turned on DNSSEC where you can? If not, why not?
> When one claims "DNSSEC is difficult", while other claim it is not, then > something is wrong. Answering questions like there might help find out > where the wrong comes from and eventually fix it. I think the claim was more "dangerous" than "difficult": } It's a complicated story to tell and it doesn't make for clear } straightforward advice; for the forseeable future deploying DNSSEC on } the auth side makes you more vulnerable, as there are still more ... > See, I can answer such questions. Why can't others? The signing half of the answer is often public with `dig +dnssec`. The verifying half is hard to see, but almost or soon guessable as "yes" thanks to big resolvers and default-on verifying in software including BIND. > As for port randomization, etc -- these things will obviously happen. > But the number of people that need to get involved is very small. These > people know already what to do and will do it. On the other hand, the > number of people needed to get involved with proper DNSSEC > implementation is pretty large -- and this is where we should put our > efforts. I hope that a big reason DNSSEC signing is rare http://scoreboard.verisignlabs.com/percent-trace.png is obstruction by registrars. That might change next year. http://www.internetsociety.org/deploy360/blog/2013/09/icanns-2013-raa-requires-domain-name-registrars-to-support-dnssec-ipv6/. My main complaint about the port randomization talk and its refusal to address the DNSSEC relative priority issue is that it gives those who should DNSSEC sign an excuse to say DNSSEC is difficult, dangerous, and unneeded. Port randomization solves the DNS security problem and I needn't do anything but wait for new software in a few years. Vernon Schryver v...@rhyolite.com P.S. Checking SMTP headers for STARTTLS often illuminates even better than `dig +dnssec`. I'm amused by authoritative sounding security talk that lacks the minimal, easy protection of STARTTLS. _______________________________________________ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
