[Dnssec-deployment] Simple Messages, was Re: accepting DS vs DNSKEY
Ed.Lewis at neustar.biz
Fri May 6 09:09:31 EDT 2011
At 10:01 -0400 5/5/11, Thierry Moreau wrote:
>More generally, this whole discussion is yet another example of this
>technical community unable to provide a simple message about DNSSEC.
Given that DNSSEC has only begun to be deployed, and deployed just
partially in one use case (TLD) I wouldn't expect there to be a
predominate set of conventional wisdom set in place.
And given that to date we have not witnessed an attack that was
stopped by the existing DNSSEC deployment nor have we seen an attack
overrun a DNSSEC deployment, we don't really know the breaking points
of the strategies taken, I am not surprised we haven't seen a
coherent conventional wisdom come around.
Despite analysis and research in the 90's, workshopping in the 00's,
there is still much to learn. Defense is always that - planning is
dandy but ultimately it will be the reacting that matters.
We are a long ways away from having a "simple message" about anything DNSSEC.
NeuStar You can leave a voice message at +1-571-434-5468
Now, don't say I'm always complaining.
Wait, that's a complaint, isn't it?
More information about the Dnssec-deployment