[no hat]
On Tue, Aug 12, 2008 at 12:00:09PM +0900, Masataka Ohta wrote:
> Social implementations of DNSSEC may be (or, considering its complexity,
> will always be) vulnerable to tampering from any person.
This seems like a strong claim. Are you really just claiming that,
because humans are inv
On Aug 11, 2008, at 11:00 PM, Masataka Ohta wrote:
If you are talking about security relative to the amount of
operational effort (that is, money!!!), PODS is definitly
more secure than DNSSEC.
I think if you were to try to explain this by presenting real-world
statistical data to support you
This message seems to answer many of the questions over the last few
days.
--
Av8 Internet Prepared to pay a premium for better service?
www.av8.net faster, more reliable, better service
617 344 9000
-- Forwarded message --
Date: 10 Aug 2008 00:28:22 -
From: D.
On Aug 12, 2008, at 6:56 PM, Dean Anderson wrote:
This message seems to answer many of the questions over the last few
days.
.SE have 922 domains with DS records. The lack of .COM domains is
probably because .COM is not signed. It is much easier to put a trust
anchor in your resolver for
On Mon, 11 Aug 2008, Paul Wouters wrote:
[Paul Wouters is a frequent NANOG poster.]
> DNSSEC has been deployed on large scale by some TLD's and RIR's already.
> It is very much operational.
Not very much--99 domains out of 70 million in .com.
Your argument would be stronger if you identified wh
On Tue, 12 Aug 2008, Mark Andrews wrote:
> TCP, port randomisation, 0x20, EDNS PING etc. all leave gapping holes
> in the security model which are being exploited today.
I don't know of any TCP exploits today. Though TCP is not secure against
anyone in the path of the packets, its pretty invulnera
On Aug 12, 2008, at 11:40 AM, Dean Anderson wrote:
DNSSEC has been deployed on large scale by some TLD's and RIR's
already.
It is very much operational.
Not very much--99 domains out of 70 million in .com.
As has been pointed out, .COM is not signed. The fact that there are
99 zones signe
On Tue, 12 Aug 2008, Dean Anderson wrote:
On Mon, 11 Aug 2008, Paul Wouters wrote:
[Paul Wouters is a frequent NANOG poster.]
a handful of postings in years is frequent?
DNSSEC has been deployed on large scale by some TLD's and RIR's already.
It is very much operational.
Not very much--99
On 12 Aug 2008, at 14:50, Dean Anderson wrote:
On Tue, 12 Aug 2008, Mark Andrews wrote:
TCP, port randomisation, 0x20, EDNS PING etc. all leave gapping holes
in the security model which are being exploited today.
I don't know of any TCP exploits today.
Imagine being able to intercept arbit
