RE: Summary: DNSEXT WGLC: To OPT-IN or not to OPT_IN

["Hallam-Baker, Phillip" <pbaker@verisign.com>]

> Hallam-Baker, Phillip writes:
> > All anyone is talking about is adding crypto to the DNS
> 
> Security is not some optional feature that we want a few 
> people to ``opt
> in'' to. We need a security system that works for _all_ DNS records.

Tough, there is no way of securing www.xyz.com unless xyz.com chooses
to deploy DNSSEC in the zone.

So your argument does cut both ways.


> Evidently the .com people don't think they can sign all their records.
> That's a serious problem. It has to be fixed. Opt-in doesn't fix it.
> 
> > What value do you claim there is to securing the delegation without
> > any security on the delegated zone?
> 
> Communication from the zone server is often secured by 
> mechanisms other
> than DNSSEC. But this is a side issue.

no it isn't it is absolutely the central issue.

Trying to pretend that securing dotCOM is relevant if the subdomains 
are insecure is precisely the bogus security you are arguing against.


> I'm talking about a different situation, the situation we're 
> aiming for:
> namely, having _all_ zones signed. The .com people can't handle this.
> Opt-in doesn't help the .com people handle it. Opt-in tends 
> to hide the
> fact that they can't handle it.

If you want dotcom signed then best provide a spec that meets the
criteria of the operator.

If you want to propose an alternative that meets those criteria
then do so.


	Phill

--
to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/namedroppers/>