[dns-operations] Forgery resilience idea - wildcard cooperative defense
bert hubert
bert.hubert at netherlabs.nl
Thu Aug 7 17:38:19 UTC 2008
On Thu, Aug 07, 2008 at 05:18:28PM +0000, Paul Vixie wrote:
> any solution requiring cooperative action/change by both the RDNS and ADNS
> has a cost that's equivilent to "deploy DNSSEC". the thing that's good
That's simply not true - DNSSEC does not function automatically even if both
ADNS and RDNS support it.
DNSSEC needs a change to:
ADNS,
RDNS,
the zone,
the registry,
the registrar,
and even the operational procedures of domain owner.
(the stub, the application - if you want to give the end-user a
choice)
EDNS PING or other entropy enhancing solutions provide benefit to anybody
deploying them, without further work, and require only ADNS and RDNS work.
DNSSEC provides lots of other things beyond entropy of course.
Bert
--
http://www.PowerDNS.com Open source, database driven DNS Software
http://netherlabs.nl Open and Closed source services
More information about the dns-operations
mailing list