[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Pimping DNSSEC (was Re: DNSSEC - Signature Only vs the MX/A issue.)

To: Shane Kerr <Shane_Kerr@isc.org>
Subject: Re: Pimping DNSSEC (was Re: DNSSEC - Signature Only vs the MX/A issue.)
From: bert hubert <bert.hubert@netherlabs.nl>
Date: Mon, 4 Dec 2006 13:39:30 +0100
Cc: Ralph Droms <rdroms@cisco.com>, namedroppers@ops.ietf.org
Delivery-date: Mon, 04 Dec 2006 12:42:04 +0000
Envelope-to: namedroppers-data@psg.com
User-agent: Mutt/1.5.9i

On Mon, Dec 04, 2006 at 11:45:03AM +0100, Shane Kerr wrote:
> Isn't this always the case with security though? What is the direct, immediate
> RoI for putting a lock on your door?

Try removing the lock from your office building and you find out quickly
enough.

Security IS part of doing business, and if it is more effort than it is
perceived to be worth, people don't do it. 

Perception is the key word here though.

My feeling however is that the full cost of DNSSEC (even without NSEC3)
vastly outweighs any perceived (or even: real) benefit.

See http://ds9a.nl/secure-dns.html for some further discussion. I don't
doubt DNS needs better security, but it doesn't warrant anything really
complex.

	Bert

-- 
http://www.PowerDNS.com      Open source, database driven DNS Software 
http://netherlabs.nl              Open and Closed source services

--
to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/namedroppers/>

Prev by Date: Pimping DNSSEC (was Re: DNSSEC - Signature Only vs the MX/A issue.)
Next by Date: Re: Pimping DNSSEC (was Re: DNSSEC - Signature Only vs the MX/A issue.)
Previous by thread: Pimping DNSSEC (was Re: DNSSEC - Signature Only vs the MX/A issue.)
Next by thread: Re: Pimping DNSSEC (was Re: DNSSEC - Signature Only vs the MX/A issue.)
Index(es):
- Date
- Thread