ietf-asrg
[Top] [All Lists]

Re: [Asrg] DNSSEC not deployable

2003-07-07 08:12:42
"Hallam-Baker, Phillip" <pbaker(_at_)verisign(_dot_)com> writes:

Unless the IESG decides to intervene to reverse this situation 
ubiquitous deployment of DNSSEC will not be possible using the
IETF approved specification.

To be honest, I doubt that the technical problems are relevant.

There is simply no application for DNSSEC.  Of course, it's nice to
get rid of the insecure DNS transport protocol with its tiny request
ID, but this doesn't warrant the incredible complexity of DNSSEC.
There are name-based attacks, of course (often employing the "@" trick
in http:// URLs, in other cases suitable domain names are registered),
but DNSSEC wont prevent any of them.

Now mail control could be *the* application that pushes DNSSEC, but
the current state seems to be that no single mail control solution
will evolve, and in a situation of multiple, competing solution
attempts, a DNSSEC requirement is a huge disadvantage.  (Anyway, for
the level of mail control we are aiming at, the security of the
current DNS is probably sufficient.)

Regretably the situation is no better with respect to BGP security.

Same here.  Even if some Secure BGP variant arrives which resolves the
trusted intermediates problem, the corresponding trusted registration
authority for relating ASNs, prefixes, and public keys won't come into
existence without government regulation.  Look at the state of current
WHOIS data to get a glimpse on the future.  I bet that many ISPs will
automatically certify customer announcements, to save money and avoid
scaring away customers.  What's worse, there are advanced frauds an
ISP is unlikely to detect.

_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg



<Prev in Thread] Current Thread [Next in Thread>