> I presented the real-world statistical data to support my claim > that DNSSEC requires to much work. That is, it is hardly deployed > because it requires to much work.
The reason it's hardly deployed is that people don't see the point. COM and the root zone aren't signed, so there's no perceived benefit. Most people would agree that *any* amount of work is too much when there's no perceived benefit. It would be more interesting to see what percentage of .SE and .BR domains are signed: There *is* some perceived benefit there, and an infrastructure in place. I would expect the cost/benefit analysis to shift in favor of DNSSEC under those circumstances. I actually agree with you that DNSSEC using BIND is more fiddly, arcane and time-consuming than it ought to be. (And I intend to improve it.) But that flaw is in the tools, not the protocol. There are lots of other things about network configuration that used to be fiddly and arcane and have since become simple; you seem to be arguing that DNSSEC won't follow suit, but I see no technical reason why it shouldn't. -- Evan Hunt -- [EMAIL PROTECTED] Internet Systems Consortium, Inc. _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
