From: Dean Anderson [mailto:dean(_at_)av8(_dot_)com]
It is not DNSSEC that is broken.
Anycast has been deployed for four years. Any change to the DNS
infrastructure that is incompatible with use of anycast is not
acceptable and will not be deployed.
Anycast significantly improves the response time and the robustness of
DNS operations and allows operations to be made more scalable and run
more economically.
Core DNS is subject to continuous DDoS attacks. Without anycast there is
a possibility that at some point in the future it might not be possible
to support the bandwidth needed to defeat these attacks.
The DNS has operated successfully without DNSSEC up to this point. The
onus is always on those proposing a change to work within the deployed
infrastructure.
The DNSSEC spec makes several proposals that appear to address the
packet fragmentation issue. If you think these are inadequate you should
explain why.
Phill
_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/ietf