On Fri, 13 Mar 2015, Paul Vixie or Morizot Timothy S wrote:
[not sure of the quoting in this message]
DNSSEC is [...] even less finished and less deployed than IPv6.
I have to disagree with this continued claim by opponents of DNSSEC that it is not widely deployed. The fact that Apple had an outage that was caused by DNSSEC actually shows it has been deployed widely! All of Google DNS and Comcast clients were affected! That's probably more than all IPv6 users. Also, while the DNSSEC opponents screamed (well, tweeted) murder and called for throwing out DNSSEC, when the next day all the online Apple Stores were down because of Apple's "internal DNS error", those DNSSEC opponents were very quiet and not screaming to rip DNS out of the internet :P
then what we know now we'd've scrapped DNS itself and started from scratch just to avoid the compromises we've made.
And we would not be able to avoid some of the same issues. For example, any newly made solution would have the same choice of deciding in the browser to soft fail or hard fail (or do a pop-up). People now complain about the "hard fail" nature of DNSSEC in browsers, but DNSSEC has actually been designed to allow a soft fail. All the browsers need to do in resposne to a ServFail is to re-issue the query with the CD bit set and if they receive an answer on the second go, pop-up to the user for an override. Paul _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
