[Dnssec-deployment] Simple Messages, was Re: accepting DS vs DNSKEY

Thierry Moreau thierry.moreau at connotech.com
Fri May 6 12:05:08 EDT 2011

Edward Lewis wrote:
> At 10:01 -0400 5/5/11, Thierry Moreau wrote:
>> More generally, this whole discussion is yet another example of this
>> technical community unable to provide a simple message about DNSSEC.
> Given that DNSSEC has only begun to be deployed, and deployed just 
> partially in  one use case (TLD) I wouldn't expect there to be a 
> predominate set of conventional wisdom set in place.
> And given that to date we have not witnessed an attack that was stopped 
> by the existing DNSSEC deployment nor have we seen an attack overrun a 
> DNSSEC deployment, we don't really know the breaking points of the 
> strategies taken, I am not surprised we haven't seen a coherent 
> conventional wisdom come around.
> Despite analysis and research in the 90's, workshopping in the 00's, 
> there is still much to learn.  Defense is always that - planning is 
> dandy but ultimately it will be the reacting that matters.

OK, you may have this opinion.

> We are a long ways away from having a "simple message" about anything 

What about

A) DNSSEC has the potential to raise the integrity confidence in data 
retrieved from the DNS,

B) the technology is ready for deployment,

C) by virtue of integrity protection, a side effect of DNSSEC is to make 
DNS operations less error-tolerant, requiring more operational discipline,

D) you may expect new Internet security schemes based on the enhanced 
DNS integrity.

My main point is that item B is needlessly obscured by some technical 


- Thierry Moreau

More information about the Dnssec-deployment mailing list