[Dnssec-deployment] Simple Messages, was Re: accepting DS vs DNSKEY
thierry.moreau at connotech.com
Fri May 6 12:05:08 EDT 2011
Edward Lewis wrote:
> At 10:01 -0400 5/5/11, Thierry Moreau wrote:
>> More generally, this whole discussion is yet another example of this
>> technical community unable to provide a simple message about DNSSEC.
> Given that DNSSEC has only begun to be deployed, and deployed just
> partially in one use case (TLD) I wouldn't expect there to be a
> predominate set of conventional wisdom set in place.
> And given that to date we have not witnessed an attack that was stopped
> by the existing DNSSEC deployment nor have we seen an attack overrun a
> DNSSEC deployment, we don't really know the breaking points of the
> strategies taken, I am not surprised we haven't seen a coherent
> conventional wisdom come around.
> Despite analysis and research in the 90's, workshopping in the 00's,
> there is still much to learn. Defense is always that - planning is
> dandy but ultimately it will be the reacting that matters.
OK, you may have this opinion.
> We are a long ways away from having a "simple message" about anything
A) DNSSEC has the potential to raise the integrity confidence in data
retrieved from the DNS,
B) the technology is ready for deployment,
C) by virtue of integrity protection, a side effect of DNSSEC is to make
DNS operations less error-tolerant, requiring more operational discipline,
D) you may expect new Internet security schemes based on the enhanced
My main point is that item B is needlessly obscured by some technical
- Thierry Moreau
More information about the Dnssec-deployment