> Paul Hoffman <mailto:paul.hoff...@vpnc.org> > Friday, February 06, 2015 9:25 AM > > History: some registries still think that DNSSEC is a new experiment > and don't want to spend the effort to support it until it is "real".
perhaps the apparent need for negative trust anchors has bolstered the sense that DNSSEC is still experimental. or perhaps it's the fact that after 19 years of development, the protocol still isn't finished and no application depends on DNSSEC or behaves differently in the presence of DNSSEC? > > Risk: a registry saying that it will update DS records in a timely > fashion is a cost with no perceived benefit to the registry. if i were a registrar that's the position i'd take, until i saw counter-risk of customer migration away from me. because as of this moment, DNSSEC adds risk and cost always, benefit never. we can't make that not-so by wishing or pretending otherwise, or by ignoring the facts as they clearly are. note: i'm not a hater. i want DANE, and other DNSSEC-enabled applications. i think we need DNSSEC. i'm just incredibly sympathetic to anyone who says it's not here yet and that it demonstrates very little inevitability. see also: <http://www.circleid.com/posts/defense_in_depth_for_dnssec_applications/>. -- Paul Vixie
_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
