> Nicholas Weaver <mailto:nwea...@icsi.berkeley.edu> > Saturday, March 14, 2015 5:07 AM > > ... > > Overall, unless you are validating on the end host rather than the > recursive resolver, DNSSEC does a lot of harm from > misconfiguration-DOS, but almost no good.
several of us jumped for joy in 2008 when kaminsky showed rdns poisoning to be a trivial exercise, because it finally provided justification for what was at that time 12 years of apparently-wasted effort on DNSSEC. you're entirely right that the end-system case (for example, DANE) is the only actual justification for the added costs and risks of Secure DNS, and you'd be right if you said that the current system is both over- and under-engineered for this sole actual use case. because it takes so many years to get everybody's permission to make any change to the DNS protocol, and so many more years to get everybody's permission to make any change of this magnitude to the root zone, the cost of giving up and starting over necessarily includes not just the tear-down but the re-negotiation. not practical. so we'll keep pushing the crap system we have, uphill all the way, noone loving it, and almost everyone in fact hating it. we've now spent more calendar- and person-years on DNSSEC than was spent on the entire IPv4 protocol suite (including DNS itself) as of 1996 when the DNSSEC effort began. ugly, ugly, ugly. -- Paul Vixie
_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
