Re: Pimping DNSSEC (was Re: DNSSEC - Signature Only vs the MX/A issue.)

[Edward Lewis <Ed.Lewis@neustar.biz>]

At 13:39 +0100 12/4/06, bert hubert wrote:

> Perception is the key word here though.

No pun intended, yes, it's all perception.

> My feeling however is that the full cost of DNSSEC (even without NSEC3)
> vastly outweighs any perceived (or even: real) benefit.

Having worked with DNSSEC for more than two years, I know a lot about 
what DNSSEC is.  But knowing how (well) it is constructed doesn't 
mean it is the right solution to the problems we have now.

Times change, problems change.  What was probably the best solution 
in 1996 might not be the best solution in 2007.  Just because DNS has 
a vulnerable protocol state and DNSSEC offers a means to defend it 
does not mean DNSSEC is the answer.

This doesn't mean DNSSEC ought to be abandoned.  But I do wonder why, 
if DNSSEC is the solution to problems, that it isn't wholeheartedly 
adopted?  I don't hear anyone saying "I'd love to use DNSSEC, but 
could you adjust it here or there?"  I.e., I don't see a building 
demand for it.

DNSSEC does take a water-tight approach to security, it would be able 
to defend a lot of forms of attack and supports all of the robustness 
principles of the DNS (caching, replication, etc.).  But is the 
effort to be this secure worth the cost?  I haven't seen anyone who 
says yes to the latter with an open wallet.
--
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Edward Lewis                                                +1-571-434-5468
NeuStar

Dessert - aka Service Pack 1 for lunch.

--
to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/namedroppers/>