On Sat, 9 Aug 2008, Paul Wouters wrote: > > > DNSSEC, a cryptographic version of DNS, has been in development since > > 1993 but is still not operational. > > It seems that Mr. Bernstein also suffers from the "America is the not the > world" syndrome.
??? > > Bernstein said that DNSSEC offers "a surprisingly low level of security" > > while causing severe problems for DNS reliability and performance. > > Let's not argue about the subjective "suprisingly". But what is this > "low level of security"? Is a fully trusted path 'low level'? If so, > what is 'high level'? I think http://cr.yp.to/talks/2004.04.28/slides.pdf might help. > > "We need to stop wasting time on breakable patches," Bernstein said. He > > called for development of DNSSEC alternatives that quickly and securely > > reject every forged DNS packet. > > This statement even goes so far as to suggest DNSSEC is a "breakable patch" > In general, for all those people who claim DNSSEC is not the solution, I > have a few questions > > 1) What is more broken with DNSSEC then on DNS? The question really should be 'What is LESS broken with DNSSEC than with DNS?' Equally broken is bad, too. 'More broken' is clearly a disaster. 'Not broken' is the goal. > 2) If DNSSEC is flawed, where is a better alternative? I think there are indeed better alternatives. Bernstein calls for development of alternatives. But to find alternatives, IETF has to stop silencing the people who can figure out solutions, merely because those people oppose the BIND cartel. The BIND cartel gave us the flawed solutions; It did this by silencing the opposition to create a false consensus on their ideas. The cartel continues to exercise control of (at least) IETF DNSEXT and continues to silence its critics, even though its credibility at solving these problems should have been exhausted a long time ago. Silencing the cartel's critics was improper. > Without answering those questions, you can't really reject DNSSEC over > the alternative of keeping to run DNS as we have so far. Sure you can reject DNSSEC. One broken solution doesn't justify deployment of another broken solution. Time and again we've seen this same pattern: Someone essentially yells "Emergency! Lets rush out this (non) solution! No time to think things through!". In almost every case, there is usually no emergency, and the 'solution' is frequently worse than the problem. --Dean -- Av8 Internet Prepared to pay a premium for better service? www.av8.net faster, more reliable, better service 617 344 9000 _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
