Re: Pimping DNSSEC (was Re: DNSSEC - Signature Only vs the MX/A issue.)

[bert hubert <bert.hubert@netherlabs.nl>]

On Mon, Dec 04, 2006 at 09:45:07AM -0500, Edward Lewis wrote:

> DNSSEC does take a water-tight approach to security, it would be able 
> to defend a lot of forms of attack and supports all of the robustness 
> principles of the DNS (caching, replication, etc.).  But is the 
> effort to be this secure worth the cost?  I haven't seen anyone who 
> says yes to the latter with an open wallet.

We've asked many of our customers and users this exact question: would you
be willing to fund DNSSEC development in PowerDNS, and the answer has so far
always been a resounding 'no'.

We've seen people list "DNSSEC" (w/o further specification) as a
requirement, but nobody clamoured for it enough to pay a (modest) premium
for it.

To put this statement into perspective, in many areas, including some of the
largest internet markets (ie, Germany), PowerDNS controls >50% of domains
right now, and in others over 40% of resolving needs.

So if there were a 'hidden demand' for DNSSEC, or even 'more secure DNS'
we'd heard of it by now.

And I agree fully with Bill Manning's statement that most people previously
willing to fork over money for DNSSEC protocol development now have "an
empty wallet, and nothing (much) to show for it".

	Bert

-- 
http://www.PowerDNS.com      Open source, database driven DNS Software 
http://netherlabs.nl              Open and Closed source services

--
to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/namedroppers/>