This archive is retained to ensure existing URLs remain functional. It will not contain any emails sent to this mailing list after July 1, 2024. For all messages, including those sent before and after this date, please visit the new location of the archive at https://mailman.ripe.net/archives/list/[email protected]/
[dns-wg] What about the last mile, was: getting DNSSEC deployed
- Previous message (by thread): [dns-wg] What about the last mile, was: getting DNSSEC deployed
- Next message (by thread): [dns-wg] Maintenance on ns-pri.ripe.net
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Robert Story
rstory at sparta.com
Mon Feb 26 15:51:18 CET 2007
On Sat, 24 Feb 2007 16:18:43 +0100 Florian wrote: FW> Unfortunately, the real showstopper I see is that you cannot tell an FW> attack from an infrastructure change that happened to break DNSSEC. FW> But we need to provide some kind of fallback in case DNSSEC breaks FW> because we absolutely must ensure that we match plain DNS in terms of FW> availability. (And I don't think yet another security indicator FW> visible to the end user is the answer.) Well, you've got yourself painted into a corner here. I don't think you can have a fallback, or you haven't added any security. The only way to get an ISP to sit up and take notice will be the flood of support calls when they do something that breaks DNS, just as it it now. (Of course, this is also probably one of the reasons they are wary of deploying DNSSEC in the first place). FW> Running name resolution over 443/TCP to some central resolver FW> infrastructure suddenly seems much more attractive, doesn't it? Not particularly. Either way, you've got to get the ISPs to buy into a new way of thinking about DNS. Besides, I haven't seen any real detail on how this 443/tcp idea would work. I'm sure that if it got as much scrutiny as DNSSEC has had, it would turn out to not be as simple as it's proponents might think it is. -- Robert Story SPARTA -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: not available URL: </ripe/mail/archives/dns-wg/attachments/20070226/62aa5c9c/attachment.sig>
- Previous message (by thread): [dns-wg] What about the last mile, was: getting DNSSEC deployed
- Next message (by thread): [dns-wg] Maintenance on ns-pri.ripe.net
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
[ dns-wg Archives ]