On Aug 13, 2008, at 4:04 AM, Masataka Ohta wrote:
Maybe, Ted could provide some virtual-world data realistic enough to
deny the real-world statistical data such as:
djb> Last week's surveys by the DNSSEC developers ("SecSpider") have
found a
djb> grand total of 99 signed dot-com names out of the 70 million
dot-com
djb> names on the Internet
Ohta-san, you made the claim that managing DNSSEC is so much more work
than maintaining regular DNSSEC that the cost of doing so outweighed
the benefit of doing so - the added security. You provided no
statistics to back up that claim, and that claim is contrary to my own
personal experience with setting up DNSSEC.
The statistic you present above is probably true, and certainly
matches my personal experience. However, it says nothing about how
much work is involved in setting up and maintaining DNS zones.
Rather, what it says is that .COM is not signed. There's no security
benefit to signing your zone if the trust anchor on which your zone
depends is not signed. So this statistic is not part of the cost/
benefit analysis we were talking about - it's a non-sequitur.
It's certainly true that in order for .COM zones to get any meaningful
security out of DNSSEC, either .COM has to be signed, or we have to
use some other trust anchor mechanism, like DLV or DLVPTR, so if you
wanted to use this statistic to justify deploying some alternative
trust anchor system, that would make sense.
BTW, one exercise that I'd like to suggest for participants in this
discussion is that, despite the fact that .COM is not signed, you sign
your .COM zones if you haven't already. I'm in the process of doing
that myself. Given that only 90 are signed so far, I suspect that a
lot of DNS geeks just haven't bothered yet because .COM isn't signed.
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
