[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Pimping DNSSEC (was Re: DNSSEC - Signature Only vs the MX/A issue.)

To: <shane_kerr@isc.org>
Subject: Re: Pimping DNSSEC (was Re: DNSSEC - Signature Only vs the MX/A issue.)
From: Ralph Droms <rdroms@cisco.com>
Date: Thu, 07 Dec 2006 17:32:39 -0500
Authentication-results: rtp-dkim-1; header.From=rdroms@cisco.com; dkim=pass ( sig from cisco.com/rtpdkim1001 verified; );
Cc: <namedroppers@ops.ietf.org>
Delivery-date: Thu, 07 Dec 2006 22:32:56 +0000
Dkim-signature: v=0.5; a=rsa-sha256; q=dns/txt; l=2117; t=1165530722; x=1166394722; c=relaxed/simple; s=rtpdkim1001; h=Content-Type:From:Subject:Content-Transfer-Encoding:MIME-Version; d=cisco.com; i=rdroms@cisco.com; z=From:=20Ralph=20Droms=20<rdroms@cisco.com> |Subject:=20Re=3A=20Pimping=20DNSSEC=20(was=20Re=3A=20DNSSEC=20-=20Signat ure=20Only=20vs=20the=20MX/A=0A=20issue.) |Sender:=20 |To:=20<shane_kerr@isc.org>; bh=rGSz6AYHs787sTx30+DNuqsMvi7IHGGUrzAxeShYKdE=; b=dQA4KW3meoI6k6oSRHmtB7ukYh7CKl1YVD5WGBith8q8lqTX0/FFyjanA5eG3BhEbYiffqvp Zr0wm8qJtVMV+fIQumH1/6ERL+aaIa7vEaBh/3rjwB8cMJq+0h8Mbewh;
Envelope-to: namedroppers-data@psg.com
Thread-index: AccaT5nk2KJMnYZCEduPigARJOT6eg==
Thread-topic: Pimping DNSSEC (was Re: DNSSEC - Signature Only vs the MX/A issue.)
User-agent: Microsoft-Entourage/11.2.5.060620

I think the root and the TLD is just one blocking factor.  Then, there's the
DNSSEC-aware recursive servers, the DNSSEC-aware host resolvers, signing all
those organization zones, and the fundamental "what's my ROI" question.

I have this vision of a jigsaw puzzle with about 6 or 8 pieces, that we have
to drop from a couple of feet off the ground and have all the pieces land in
place, interlocked, all at once to make DNSSEC fly...

The immediate RoI isn't directly like locking your door, because you don't
have the risk of anything being stolen *directly* from you if you don't
apply DNSSEC to your zones.  It's more indirect - somebody else trying to
access your website won't be robbed through a phishing attack if you put a
lock on your door.

- Ralph

On 12/4/06 5:45 AM, "Shane Kerr" <Shane_Kerr@isc.org> wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> [ Apologies for a mostly non-technical mail that says what everybody already
> knows. ]
> 
> Ralph Droms wrote:
>> What is the direct, immediate RoI for the resources I have to commit to
>> providing DNSSEC resolution for names in my zone?  My external contacts
>> ("customers") may benefit from mitigation of attacks, but that's an indirect
>> benefit.  
> 
> Isn't this always the case with security though? What is the direct, immediate
> RoI for putting a lock on your door?
> 
> I think the reason things like DNS and routing security don't get much
> traction
> is because there is much lower hanging fruit for attackers. If the end points
> of
> the Internet weren't so insecure, then things would be different.
> 
> If DNSSEC stabilizes after NSEC3, then DNSSEC could slowly become part of the
> BCP for network operators. The blocking factor here is the TLD (and the root),
> which has little or nothing to do with RoI.
> 
> - --
> Shane
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.5 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
> 
> iD8DBQFFc/wuMsfZxBO4kbQRAknGAKCno1hfO/JrNoyhsk+9rkEx94BMRwCginCo
> VWL6Q40W+fGBrmwth3D67ds=
> =Gzje
> -----END PGP SIGNATURE-----

--
to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/namedroppers/>

Prev by Date: Re: DNSSEC - Signature Only vs the MX/A issue.
Next by Date: Re: Pimping DNSSEC (was Re: DNSSEC - Signature Only vs the MX/A issue.)
Previous by thread: Re: Pimping DNSSEC (was Re: DNSSEC - Signature Only vs the MX/A issue.)
Next by thread: Re: Pimping DNSSEC (was Re: DNSSEC - Signature Only vs the MX/A issue.)
Index(es):
- Date
- Thread