Re: Transition from 2535 to opt-in

["David R. Conrad" <david.conrad@nominum.com>]

Paul,

At 12:05 PM 11/30/2001 -0800, Paul A Vixie wrote:
>i keep looking at opt-in and DS and asking "how many more years will it take
>before we get the complexity managed in dnssec and have widely deployed it?"

Yes.

>i have an alternative proposal.  use hardware crypto and since .COM with the
>protocol we have now and stop the merry-go-round of dnssec protocol 
>development
>before a lot of us are overcome with motion sickness.

While I too would like the merry-go-round to stop, signing large zones like 
.COM isn't the problem, or rather it is among the easier problems to solve 
-- just throw hardware at it as you note.  The harder problem to solve is 
propagating O(10 GB) worth of DNS data globally in a short amount of time 
(particularly in the worst case scenario of private key compromise).  The 
next hardest problem to solve is key management, particularly in the same 
worst case scenario.  The hardest problem to solve is to convince people 
DNSSEC does something useful -- it appears there is a view that protecting 
name/address translations aren't particularly interesting given there are 
other ways of skinning that particular security cat that are already in use 
(e.g., SSL, TLS, etc).  Of course, the DNS can be used for things other 
than name/address translations and insuring the integrity of that data 
would probably be important, however there are people who believe that such 
use of the DNS is ill-advised.  Fix the last problem and I'm sure DNSSEC 
will be deployed, regardless of what the IETF thinks needs to be done wrt 
the standards.

Rgds,
-drc



to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.