ietf
[Top] [All Lists]

Re: DNSSEC is hard to get right

2010-08-31 10:28:50
DNSSEC is a PKI and running a PKI is never a trivial matter.

One of the reasons I have serious concern about the prospects for
deployment of DNSSEC is that the answer to many of my questions is
either a blank stare, an off the cuff answer clearly made up on the
spot or the claim that it is something for the market to decide on.

As things stand we have an excellent architecture for securing
distribution of DNS A and AAAA records. We are thus confident of our
ability to transfer attacks from the DNS system where the effect of
attacks is pretty much localized to the BGP system whose fragility was
demonstrated only last Friday by RIPE. Is this really progress?


Out in Iraq, there is a water treatment plant that cost $110 million
to build. So far it has delivered absolutely no clean water to any
homes because nobody considered the need to build a pipe to connect
the water treatment plant to the city water mains.

There is a metaphor there if people want to see it.


On Tue, Aug 31, 2010 at 7:07 AM, Richard L. Barnes <rbarnes(_at_)bbn(_dot_)com> 
wrote:
Another view, for the visually inclined:
<http://dnsviz.net/d/iab.org/dnssec/>


On Aug 31, 2010, at 2:41 AM, Stephane Bortzmeyer wrote:

% check-sig iab.org
Name iab.org has an expired signature (20100829223019)

:-(
_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf

_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf




-- 
Website: http://hallambaker.com/
_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf

<Prev in Thread] Current Thread [Next in Thread>