[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Transition from 2535 to opt-in
[Quoting Paul A Vixie, on Nov 30, 21:33, in "Re: Transition from ..."]
> i keep looking at opt-in and DS and asking "how many more years will it take
> before we get the complexity managed in dnssec and have widely deployed it?"
Hi,
There are two issues here on which timely deployment, or
deployment ever depends, first the conclusions:
DS: we need it.
OptIn: if OptIn, why not just forget NXT?
Let me explain:
- DS:
There is a real issue with the parent-child communication
in 2535, which must be resolved, before TLDs can deploy it.
Result: no solution no deployment.
On the other hand, there are quite a number of (TLD-)people
that are both ready and anxious to start deploying DNSSEC,
but just waiting for DS (or any other solution to deal with
the parental SIG over the childs KEY) to be accepted.
- Opt-In:
Opt-In will help superlarge TLDs, but IMHO it also changes
the basic idea of DNSSEC from:
"securing the DNS infrastructure"
into:
"securing small parts of the tree or even single RRsets"
From recent discussions, I have learned that many people
think that doing that is reasonable (although I personally
do not agree), because:
1. the DNS infrastructure is not that vulnarable anymore;
2. only few people believe full DNSSEC will ever be deployed;
3. there is real value in securing only the RRsets that
matter (KEYs, APPKEYs, CERT, www.bank.tld, etc.);
so, secure only what needs to be secured, and forget the rest.
My personal conclusion from this line of thinking is:
If ("IF") we go for Opt-In, then go for it all the way, and
just forget authenticated denial. This will really make
implementation and deployment much simpler, and thus speed
it up.
Regards,
-- ted
to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.