David Conrad wrote: > So far, I have seen what appears to be a lot of FUD from Masataka and > the usual concerns/complaints about DNSSEC from folks who haven't > implemented it in their products or services.
Unlike me, you have no implementation expertise. I did implement server code for my proposal of "Simple Secure DNS" more than 10 years ago to confirm that, unlike DNSSEC, it can be implemented easily. From the beginning, I knew it is essentially (except to support read/write new RR types from/to zone file) less than 100 lines of modification to BIND and it actually was so. As a lazy implementor, I can design protocols to avoid useless implementation efforts. As a faithful protocol designer, I implement my design to confirm it actually require little implementation efforts. At that time, because of fundamental complexity, there was no DNSSEC implementation. Thus, I am the implementer who can authoritatively declare that all the impelementors and system administrators of DNSSEC do not understand both of DNS and PKI and are brain dead. I, of course, won't bother to implement proven-to-be-fundamentally- broken DNSSEC nor join proven-to-be-useless attempts to improve the proven-to-be-fundamentally-broken protocol. Anyway, the other problem of DNSSEC is that PKI, as a concept, is fundamentally broken, against which no PKI protocol can be useful. Masataka Ohta _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop