On 25.10.13 15:20, Stephane Bortzmeyer wrote:
On Tue, Oct 22, 2013 at 11:59:04PM +0000,
Vernon Schryver <v...@rhyolite.com> wrote
a message of 50 lines which said:
Why would there be extra support calls? Wrong keys are no worse
than wrong delegations
Of course, they are worse. In the vast majority of cases, lame
delegations (or other mistakes) do not prevent resolution (as long as
one name server works). A wrong key can completely prevent resolution,
leading to a loss of service. The DNS is extremely robust, you have to
try very hard to break it. With DNSSEC, it's the opposite, you have to
be very careful for it to work.
DNS is "very robust" only if you accept "whatever" as the answer.
This is very similar to the claim "you can create an very fast
(whatever) algorithm, as long as you do not require the right answer".
Thing is DNSSEC does improve the quality of DNS, by also requiring more
discipline and attention, in addition to the obvious cryptographic
verification of responses. More discipline and attention always helps.
It is only natural, that there will be always opposition to DNSSEC, as
there will be always lazy "admins" whose traditional excuse it "it is
someone else's fault".
Daniel
_______________________________________________
dns-operations mailing list
dns-operations@lists.dns-oarc.net
https://lists.dns-oarc.net/mailman/listinfo/dns-operations
dns-jobs mailing list
https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
