> On 24 Jul 2008, at 11:40, Joe Greco wrote: > >> Compared with the problem of global DNSSEC deployment, getting > >> everybody in the world to patch their resolvers looks easy. > > > > Of course. That's why I said that deploying this patch was > > something that > > could be done *too*. > > OK, good.
Yeah, I'm not arguing against mitigating the immediate problem, but rather: > Sorry if I misinterpreted your earlier message. The problem is that we have this reactionary mindset to threats that have been known for a long time, and we're perfectly happy to issue one-off band-aid fixes, often while not fixing the underlying problem. DNSSEC was designed to deal with just this sort of thing. In almost TWO DECADES since Bellovin's paper, which was arguably the motivation behind DNSSEC, we've ... still got an unsigned root, unsigned GTLD's, unsigned zones, and we've successfully managed to get Gates to train users to click on "OK" for any message where they don't understand what it's trying to say, so relying on security at other layers isn't particularly effective either. Collectively, those of us reading this list are responsible for creating at least part of this mess, either through inaction or foot-dragging. Welcome to the Internet that we've created. ... JG -- Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net "We call it the 'one bite at the apple' rule. Give me one chance [and] then I won't contact you again." - Direct Marketing Ass'n position on e-mail spam(CNN) With 24 million small businesses in the US alone, that's way too many apples.
