more ad hominem and irrelevant comparisons.
The key point is choice. Just as some people CHOOSE to install
products such as Norton Anti-Virus that stop certain applications
running on their machine, the typical Internet user should probably
CHOOSE to use a DNS service that has the known crimeware sites
The point is that the particular obsession with 'end to end' solutions
means that we loose the ability to deploy architectures that provide
greater protection against the attacks that actually matter.
DNS hijacking is a very rare type of attack. Securing the mapping of
DNS names to IP addresses will not provide a major reduction in
expected losses due to attacks. We already have domain validated SSL
certificates that meet that need quite adequately.
The value in DNSSEC lies in being able to establish a coherent network
based system of security policy distribution.
On Thu, Feb 18, 2010 at 7:41 PM, Paul Wouters <paul(_at_)xelerance(_dot_)com>
On Thu, 18 Feb 2010, Phillip Hallam-Baker wrote:
The point is not to protect the DNS. The point is to protect the
people. And that means that maybe you don't want your machine to
resolve every domain name.
That sounds very much like the tapping/crypto debate. "You may not
secure your communications because we're using its weaknesses for your
Not securing DNS because some people are using it for something completely
different, namely a filtering service, is not an acceptable solution.
But besides that, services like opendns can still fetch and validate DNS,
and then continue strip it and rewrite it for those endusers that prefer
such a service. DNSSEC does not change that at all.
New Website: http://hallambaker.com/
View Quantum of Stupid podcasts, Tuesday and Thursday each week,
Ietf mailing list