On Mon, Aug 18, 2008 at 03:47:46PM -0700, David Conrad wrote:
> In today's Internet, most network engineers (at least at real companies)
> don't go turning on new, weird technologies for fun.
This is true.
> If some technology is going to be deployed, there is generally a
> business reason for that to happen.
This is also true, but in my experience one of those business reasons
is, depressingly often, "This is the Current Thinking I read in
_Network World_. We need to get this done!" If there is a boom on
for DNSSEC deployment, and the tools are not available, and naive
deployers screw it up, the cost:benefit evaluation ("analysis" is
way too generous) in such companies will, I predict, change back to
"don't deploy", and stay there. Those companies will never look at
the technology again, whatever the business reason is. "Too risky.
It doesn't work. It breaks things."
Sure, large organizations with large, mostly competent, and very
conservative IT departments (think "banks") will probably not have
this problem and will probably deploy successfully. None of that will
matter, however, if everyone else starts adopting policies like
"disable DNSSEC -- too risky."
Now, maybe that doesn't matter for many of these cases. It is
entirely possible that DNSSEC deployment for most zones is just not
worth it. If that's true, however, why are we so worried about poison
attacks?
A
--
Andrew Sullivan
[EMAIL PROTECTED]
+1 503 667 4564 x104
http://www.commandprompt.com/
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
