ietf-asrg
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

6 - Solutions - Dependencies of DNSSEC ( was RE: [Asrg] DNSSEC no t deployable)

2003-07-07 08:55:22
from [Paul Judge] [Permanent Link] 
This is not the forum to debate reasons for the lack of deployment of
DNSSEC.

Solutions that rely on DNS should, of course, understand the limitations
that the current system imposes. However, the lack of DNSSEC does not
introduce a substantial risk for many of the proposed systems.




-----Original Message-----
From: Florian Weimer [mailto:fw(_at_)deneb(_dot_)enyo(_dot_)de] 
Sent: Monday, July 07, 2003 11:11 AM
To: Hallam-Baker, Phillip
Cc: 'Yakov Shafranovich'; Steven F Siirila; asrg(_at_)ietf(_dot_)org
Subject: Re: [Asrg] DNSSEC not deployable


"Hallam-Baker, Phillip" <pbaker(_at_)verisign(_dot_)com> writes:


Unless the IESG decides to intervene to reverse this situation
ubiquitous deployment of DNSSEC will not be possible using the
IETF approved specification.


To be honest, I doubt that the technical problems are relevant.

There is simply no application for DNSSEC.  Of course, it's 
nice to get rid of the insecure DNS transport protocol with 
its tiny request ID, but this doesn't warrant the incredible 
complexity of DNSSEC. There are name-based attacks, of course 
(often employing the "@" trick in http:// URLs, in other 
cases suitable domain names are registered), but DNSSEC wont 
prevent any of them.

Now mail control could be *the* application that pushes 
DNSSEC, but the current state seems to be that no single mail 
control solution will evolve, and in a situation of multiple, 
competing solution attempts, a DNSSEC requirement is a huge 
disadvantage.  (Anyway, for the level of mail control we are 
aiming at, the security of the current DNS is probably sufficient.)


Regretably the situation is no better with respect to BGP security.


Same here.  Even if some Secure BGP variant arrives which 
resolves the trusted intermediates problem, the corresponding 
trusted registration authority for relating ASNs, prefixes, 
and public keys won't come into existence without government 
regulation.  Look at the state of current WHOIS data to get a 
glimpse on the future.  I bet that many ISPs will 
automatically certify customer announcements, to save money 
and avoid scaring away customers.  What's worse, there are 
advanced frauds an ISP is unlikely to detect.

_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg



_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [Asrg] DNSSEC not deployable, Florian Weimer
Next by Date:  RE: [Asrg] 4. Survey of Solutions - Consent Model, Yakov Shafranovich
Previous by Thread:  [Asrg] 3. Requirements - Technical Considerations (updated draft), Yakov Shafranovich
Next by Thread:  Re: 6 - Solutions - Dependencies of DNSSEC ( was RE: [Asrg] DNSSEC no t deployable), Eric Brunner-Williams in Portland Maine
Indexes:  [Date] [Thread] [Top] [All Lists]