Phillip Hallam-Baker wrote:
What Mark is saying here is that DNSSEC is not designed to provide
very much security and so does not need to be very secure.
What I'm saying is that plain old DNS is no less secure than
DNSSEC.
What I am saying is that people are already assuming that DNSSEC
provides a very much higher standard of security and that this is
going to lead to new security failures.
Right, people who say "Historic Moment - Root zone of the Internet
was just signed minutes ago!!!" are easy victims.
> 1) Cancel DNSSEC
>
> Not happening, move on.
The cancellation is not happening primarily because DNSSEC is
not really happening.
> 3) Design a DNSSEC 2.0 that meets the expectations.
>
> Which is I think a lot easier than it may appear.
All we need is real deployment of DNS with longer message IDs.
See my recent (7/13) dnsext mail titled:
[dnsext] Extended ID or ask again
for details.
Masataka Ohta
_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf