Developer Forum

Rob Austein;


I do love simple approaches.

However, in this case, the complexity is not in wildcard but
in DNSSEC.

So, the proper question is

do we need DNSSEC?

and the reality is that we don't.

Just discard DNSSEC and move along.

Masataka Ohta

Hi, I'm posting to both DNSEXT and DNSOP.

As I post to DNSEXT ML,


I think secure DNS, with its complexity, is hard to deploy and does
not worth the deployment effot.

Given that securty problem on small ID space is solvable (as was
discussed recently with subject "preventing cache contamination"),
do we still have to try secure DNS deployed (in vain)?

Masataka Ohta

[ post by non-subscriber. with the massive amount of spam, it is easy to miss
and therefore delete posts by non-subscribers. if you wish to regularly
post from an address that is not subscribed to this mailing list, send a
message to <listname> XXXX@XXXXX.COM and ask to have the alternate
address added to the list of addresses from which submissions are
automatically accepted. ]




Some days ago I wrote http://www.yqcomputer.com/

Bert.

--
http://www.yqcomputer.com/ Open source, database driven DNS Software
http://www.yqcomputer.com/ Linux Advanced Routing & Traffic Control HOWTO

Bert;



I mostly agree (of course).

But, note that it was intended to provide confidentiality by
sharing an IPSEC session key with public keys of a host obtained
from secure DNS, though it is not practical with reasons you
mentioned.

Masataka Ohta