RE: Pimping DNSSEC (was Re: DNSSEC - Signature Only vs the MX/A issue.)

["Hallam-Baker, Phillip" <pbaker@verisign.com>]

> [mailto:owner-namedroppers@ops.ietf.org] On Behalf Of Shane Kerr

> Isn't this always the case with security though? What is the 
> direct, immediate RoI for putting a lock on your door?

Rarely from securing an existing infrastructure.

Don't expect the existing uses of DNS to drive deployment of the DNSSEC infrastructure. It can only serve those needs after the infrastructure is almost complete.

Deployment of DNSSEC will be driven by the deployment of domain centric security infrastructure such as DKIM and policy based network administrating to address the emerging challenge of deperimeterization.

There is a solid business case there but don't expect early adopters to be the ones who are already satisfied. 

> I think the reason things like DNS and routing security don't 
> get much traction is because there is much lower hanging 
> fruit for attackers. If the end points of the Internet 
> weren't so insecure, then things would be different.

The business case for routing security will be driven by regulation.

> If DNSSEC stabilizes after NSEC3, then DNSSEC could slowly 
> become part of the BCP for network operators. The blocking 
> factor here is the TLD (and the root), which has little or 
> nothing to do with RoI.

Stability is not a necessary condition for deployment. Meeting the criterial considered essential by the key infrastructure providers is.


--
to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/namedroppers/>