[dnssec-deployment] What does DNSSEC enable?
bmanning at vacation.karoshi.com
bmanning at vacation.karoshi.com
Wed Jan 12 12:53:06 EST 2005
On Wed, Jan 12, 2005 at 05:42:21PM +0000, Paul Vixie wrote:
> > my fear is that we are takeing the "easy" path to DNSSEC
> > acceptance - building a business case - by turning a signed
> > heirarchy into a general purpose PKI-like thing.
>
> as a counterpoint, i don't see any other way to get dnssec deployed.
> yes, it's mischevious to offer people chocolate that turns out to be
> carob. however, there's just no other way to get them to bite on this.
when that type of bait/switch occurs there are three
classes of response:
) vote w/ your feet - in this case - never turn the thing on again
) sue for false advertising - the potential liabilities are so great
that someone has to take the responsiblity.
) the great unwashed are so dumb that they will pay the cost
in other words - carob aint chocolate - most folks will spit it out and
want their money back... imho
for me, i'm taking the approach that DNSSEC is kind of like
updated building code specs for things like earthquake mitigation.
it costs more to retrofit my hotwater heater with extra straps.
but if i want insurance at all, then it must be done.
--bill
More information about the Dnssec-deployment
mailing list