[Dnssec-deployment] How to Motivate DNSSEC Deployment?
patrik at frobbit.se
Thu Dec 15 12:51:40 EST 2011
On 15 dec 2011, at 18:18, Steingruebl, Andy wrote:
> Getting end-clients to do full DNSSEC checking, which is necessary for DANE, is a ahard problem.
I personally disagree it is *necessary* for DANE. I have said so, but, other people have more energy than I arguing on that mailing list.
Reasoning is as follows: We have tons of last mile zeroconf issues anyway, and that must one day be resolved.
Until then, end user do trust whatever zeroconf mechanism is in use, including the of course weak stub-recursive communication.
We still get with DANE something, I claim, that is better than what we have today.
DANE together with SNI and even self-signed certificates brings us a better world.
But others disagree. Something I think is sad.
More information about the Dnssec-deployment