[dns-operations] [Nst] A Case Against DNSSEC (A Matasano Miniseries)

Andrew Sullivan andrew at ca.afilias.info
Thu Apr 5 13:11:05 UTC 2007

On Wed, Apr 04, 2007 at 06:36:24PM -0700, Roland Dobbins wrote:
> Improving the qualitative security/availability of the DNS  
> infrastructure for any group/class/number of users without breakage  
> is an unalloyed good, I don't see how one could think otherwise?

Surely that depends on who you are to start with, and what the effects
on the overall system are, no?

To extend the "neighbourhood" metaphor some, if we decide to beef up
the fire service in one part of a city, but we do it by using some
budget from other parts of the city, then there are losers and winners
in the redistribution.  If the losers now start falling behind every
year, then they have reason to suspect that the original
redistribution is unfair.

Similarly in this case: if, for instance, the shield goes in place
only in front of large, wealthy, national or international ISPs, then
it more or less guarantees not only that the smaller ISPs are going to
be ill served, but that they'll _never_ be able to catch up, because
their customers will gradually bleed away to the larger ISPs where
service works more reliably.  Or, if the shield goes in place only in
front of the ISPs that are currently targets, that may relegate
everyone else to second-class status.  So who is affected, and how
that effect will play out, matters from the point of view of the
overall utility of the system.  I don't believe that gated communities
are really likely to be good for the Internet -- this is supposed to
be about _inter_ networking, not just networking for the people we
already know.


Andrew Sullivan                         204-4141 Yonge Street
Afilias Canada                        Toronto, Ontario Canada
<andrew at ca.afilias.info>                              M2P 2A8
jabber: ajsaf at jabber.org                 +1 416 646 3304 x4110

More information about the dns-operations mailing list