Mark Andrews wrote:
Just saying, facts are on my side. Check the number of times dnssec
caused an outage. Then check the number of hacks prevented by
dnssec. Literally 0.
How do you know? Unless you investigated every single time DNSSEC
validation returned bogus to get to the root cause you cannot know.
How?
Because most birthday attacks for plain DNS will fail, you can
almost always know DNSSEC answer is bogus by comparing answers
from DNSSEC and plain DNS.
That the root cause may not be known is not a problem.
Masataka Ohta
