Anytime we want to get involved with DNS, we must keep in mind the current
state of security of the entire DNS system. If we end up defining some
form
of a DNS-based standard, perhaps we should mandate the use of secure DNS.
Unfortunately DNSSEC is pretty big and horrible and all tied together so
that one can't pick parts of it. It would be nice if DNSSEC were
implemented throughout the net, but I don't think it's going to happen in my
lifetime. So mandating secure DNS as part of a solution effectively rules
that solution out, unless secure DNS means something quite different from
DNSSEC.
The various partial solutions we apply don't need to be perfect either
individually or even in combination: let's remember "worse is better"
especially when worse is good enough.
Tom
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg