On top of that DNSSEC presumes a PKI, which as we've seen over the
last 5 years is a hard thing to deploy in and of itself.
Also untrue.
Phill
Well, we all already knew Phill believed that PKI is easily deployable and
he knows that a lot of people disagree with him about it. This isn't really
the place to restart the wars about PKI models and methods of deployment and
models of business/trust. But couldn't the company of which Phill is so
prominent an employee make PKI deployment a lot easier (i) by voluntarily
accepting some liability to third parties who rely on keys which it
certifies and (ii) by publishing repudiation lists in a far more public
manner? I realise that (i) is a commercial rather than a technical issue so
it's not really proper to address that to Phill, but surely (ii) falls
within his remit?
Personally, I wish DNSSEC were fully deployed out there. I suspect there
are two reasons it isn't: laziness and vested interests. The latter we can
probably overcome, but laziness will delay deployment for a very long time.
However, using some DNS capability to get better validation of the Mail From
component of a DMTP envelope doesn't require full deployment of DNSSEC, or
of PKI. We can get some gain without that, and we need to determine whether
the gain is big enough in relation to the cost.
The questions we have to ask for reducing spam with something involving DNS
changes are (a) what proportion of DNSs will implement it and (b) what
proportion of spam is produced by people technically competent to bypass it.
The answers depend on whether you are using DNS as a key server or to serve
RMX records.
If you use it for RMX records, my answer to (a) is "close to zero, at least
in the short to medium term" and my answer to (b) is "it will kill off the
idiot amateurs and cause the professional spammers some minor inconvenience
in the short term until they build a work-around". If you use DNS to
provide keys, my answer for (a) remains the same and my answer to (b) is
only marginally better than for the RMX case (because the answer to (a)
pretty well forces the answer to (b)).
My answers could be wrong, of course - and unlike some contributors to this
debate I am not going to accuse people who think they are wrong of
attempting to destroy this rg. Certainly if DNSSEC were already fully
deployed that would change both my answers (wide deployment of DNSSEC would
indicate that the general laziness of sysadmins had somehow evaporated, and
would reduce the scope for spoofng DNS enormously).
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg