This is not the forum to debate reasons for the lack of deployment of
DNSSEC.
Solutions that rely on DNS should, of course, understand the limitations
that the current system imposes. However, the lack of DNSSEC does not
introduce a substantial risk for many of the proposed systems.
-----Original Message-----
From: Florian Weimer [mailto:fw(_at_)deneb(_dot_)enyo(_dot_)de]
Sent: Monday, July 07, 2003 11:11 AM
To: Hallam-Baker, Phillip
Cc: 'Yakov Shafranovich'; Steven F Siirila; asrg(_at_)ietf(_dot_)org
Subject: Re: [Asrg] DNSSEC not deployable
"Hallam-Baker, Phillip" <pbaker(_at_)verisign(_dot_)com> writes:
Unless the IESG decides to intervene to reverse this situation
ubiquitous deployment of DNSSEC will not be possible using the
IETF approved specification.
To be honest, I doubt that the technical problems are relevant.
There is simply no application for DNSSEC. Of course, it's
nice to get rid of the insecure DNS transport protocol with
its tiny request ID, but this doesn't warrant the incredible
complexity of DNSSEC. There are name-based attacks, of course
(often employing the "@" trick in http:// URLs, in other
cases suitable domain names are registered), but DNSSEC wont
prevent any of them.
Now mail control could be *the* application that pushes
DNSSEC, but the current state seems to be that no single mail
control solution will evolve, and in a situation of multiple,
competing solution attempts, a DNSSEC requirement is a huge
disadvantage. (Anyway, for the level of mail control we are
aiming at, the security of the current DNS is probably sufficient.)
Regretably the situation is no better with respect to BGP security.
Same here. Even if some Secure BGP variant arrives which
resolves the trusted intermediates problem, the corresponding
trusted registration authority for relating ASNs, prefixes,
and public keys won't come into existence without government
regulation. Look at the state of current WHOIS data to get a
glimpse on the future. I bet that many ISPs will
automatically certify customer announcements, to save money
and avoid scaring away customers. What's worse, there are
advanced frauds an ISP is unlikely to detect.
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg