Florian Weimer wrote:
>>Anyway, the other problem of DNSSEC is that PKI, as a concept, is
>>fundamentally broken, against which no PKI protocol can be useful.
> I think we need to recast DNSSEC as mere transport protection measure.
> It might be a overengineered for this purpose, but
DNSSEC is too overengineered and, thus, complex to be a reliable
protection.
> I doubt that a simpler, more lightweight protocol
> could be deployed with less effort.
Isn't port randomization enough? If not, DNS over TCP is no more
difficult to deploy than DNSSEC.
> I think I can understand your pains. With hindsight, the original
> IPv6 design ("Simple Internet Protocol") turned out to be superior to
> the current spec, too.
My understanding is that, though IPv6 is more complex than SIP, neither
really addresses the issue of routing table explosion that they are
equally bad.
So, I'm recently working on a protocol named IP--, which is carefully
desinged to enable automatic renumbering of not only customers but
also ISPs, which is an essential part to solve routing table
explosion.
> It 's not fair, but unfortunately, it doesn't matter. 8-(
It doesn't matter, because we keep using PODS and IPv4. DNS in a
new generation network will use 64 bit IDs.
Masataka Ohta
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
