Pimping DNSSEC (was Re: DNSSEC - Signature Only vs the MX/A issue.)

[Shane Kerr <Shane_Kerr@isc.org>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

[ Apologies for a mostly non-technical mail that says what everybody already
knows. ]

Ralph Droms wrote:
> What is the direct, immediate RoI for the resources I have to commit to
> providing DNSSEC resolution for names in my zone?  My external contacts
> ("customers") may benefit from mitigation of attacks, but that's an indirect
> benefit.  

Isn't this always the case with security though? What is the direct, immediate
RoI for putting a lock on your door?

I think the reason things like DNS and routing security don't get much traction
is because there is much lower hanging fruit for attackers. If the end points of
the Internet weren't so insecure, then things would be different.

If DNSSEC stabilizes after NSEC3, then DNSSEC could slowly become part of the
BCP for network operators. The blocking factor here is the TLD (and the root),
which has little or nothing to do with RoI.

- --
Shane
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFFc/wuMsfZxBO4kbQRAknGAKCno1hfO/JrNoyhsk+9rkEx94BMRwCginCo
VWL6Q40W+fGBrmwth3D67ds=
=Gzje
-----END PGP SIGNATURE-----

--
to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/namedroppers/>