On Tue, 19 Aug 2008, Andrew Sullivan wrote:
Sure, large organizations with large, mostly competent, and very conservative IT departments (think "banks") will probably not have this problem and will probably deploy successfully. None of that will matter, however, if everyone else starts adopting policies like "disable DNSSEC -- too risky."
DNSSEC is purely optional though. Anyone can decide to 1) not publish DNSSEC auth data and 2) not use DNSSEC based resolvers. What happens after that, is not up to engineers. It will be up to lawyers to proof someone not deploying DNSSEC made the best decision in the interest of their customers. As for TLD's, I wonder what will happen if .eu decides to go DNSSEC, but .com won't. It will be interesting to watch and see if organisations start migrating away from .com then, at which point DNSSEC would have to be deployed to ensure not losing customers.
Now, maybe that doesn't matter for many of these cases. It is entirely possible that DNSSEC deployment for most zones is just not worth it. If that's true, however, why are we so worried about poison attacks?
Because this is only true for the authorative part of DNSSEC. Since Dan showed you can cache poison any non-DNSSEC resolver for ANY domain, not just the domains you are not protecting, you basically have no choice but to mitigate this problem. And DNSSEC, for good or bad, is what we have right now. Paul _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
