Re: [DNSOP] Practical issues deploying DNSSEC into the home.

On Sep 11, 2013, at 12:38 PM, Phillip Hallam-Baker 
<hallam(_at_)gmail(_dot_)com> wrote:
> > I disagree.  DNSSEC is not just DNS: its the only available, deployed, and 
> > (mostly) accessible global PKI currently in existence which also includes a 
> > constrained path of trust which follows already established business 
> > relationships.
> Except that virtually nobody uses DNSSEC and most of the registrars don't 
> support it.
I strongly disagree:

I had an easier time registering my DNSSEC test domain's DS records with the 
registrar than the nameservers themselves, using an obnoxious company that 
sponsors a NASCAR driver and has obnoxious TV ads.

Comcast and Google Public DNS both validate DNSSEC on all requests.

A small minority of clients can't fetch DNSSEC records, but most actually can, 
either through one of the recursive resolvers or over the Internet.

> And then there is that other PKI that is actually used to support a trillion 
> odd dollars worth of global e-commerce per year.
Which the NSA is man-in-the-middling with abandon, in due to no-small-part the 
lack of a constrained path of trust.  Google has effectively given up on the 
TLS PKI for their own use in Chrome: they hardcode the Google sub-CA.

--
Nicholas Weaver                  it is a tale, told by an idiot,
nweaver(_at_)icsi(_dot_)berkeley(_dot_)edu                full of sound and 
fury,
510-666-2903                                 .signifying nothing
PGP: http://www1.icsi.berkeley.edu/~nweaver/data/nweaver_pub.asc

signature.asc
Description: Message signed with OpenPGP using GPGMail