On Wed, Sep 11, 2013 at 12:26 PM, Nicholas Weaver
<nweaver(_at_)icsi(_dot_)berkeley(_dot_)edu
wrote:
On Sep 11, 2013, at 9:18 AM, Phillip Hallam-Baker
<hallam(_at_)gmail(_dot_)com>
wrote:
The DNS is the naming infrastructure of the Internet. While it is in
theory possible to use the DNS to advertise very rapid changes to Internet
infrastructure, the practice is that the Internet infrastructure will look
almost exactly the same in one hour's time as it does right now.
Using DNS data from 24 hours earlier might create reliability issues but
should never introduce a security risk. Anyone who is relying on the DNS
for data that is more time sensitive than 1 hour is doing it wrong.
I disagree. DNSSEC is not just DNS: its the only available, deployed, and
(mostly) accessible global PKI currently in existence which also includes a
constrained path of trust which follows already established business
relationships.
Except that virtually nobody uses DNSSEC and most of the registrars don't
support it.
And then there is that other PKI that is actually used to support a
trillion odd dollars worth of global e-commerce per year.
DNSSEC has been about to exist ever since I started on the Web over two
decades ago now. It is still not in use to support any business
transactions. So to present it as the only PKI when it isn't yet deployed
is showing a distinct lack of common sense and acceptance of reality.
--
Website: http://hallambaker.com/