Hi, >> "DNS is insecure, live with it" may be the best answer. Why keep throwing >> good effort after bad? > it's not, though, the best answer. we have to secure the DNS resolution path.
Probably a terminology issue, but I think we need to secure the data, not the resolution path. I'm not a particular fan of DNSSEC for a number of reasons, however what the Kaminsky thing demonstrated to me was that as long as the data is not protected, there are going to be path-based attacks that are going to allow for compromise. I see DNSSEC as a way of being able to stop playing whack-a-mole with those path-based attacks. > i'd rather see them turn off validation than see negative trust anchors > added to the specification. Simply: I believe without NTAs, DNSSEC will not get deployed except by a few 'true believers'. Regards, -drc
signature.asc
Description: Message signed with OpenPGP using GPGMail
_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
