[dns-operations] Forgery resilience idea - wildcard cooperative defense

bert hubert bert.hubert at netherlabs.nl
Thu Aug 7 17:38:19 UTC 2008

On Thu, Aug 07, 2008 at 05:18:28PM +0000, Paul Vixie wrote:
> any solution requiring cooperative action/change by both the RDNS and ADNS
> has a cost that's equivilent to "deploy DNSSEC".  the thing that's good

That's simply not true - DNSSEC does not function automatically even if both
ADNS and RDNS support it. 

DNSSEC needs a change to:
	the zone, 
	the registry, 
	the registrar,
	and even the operational procedures of domain owner.
	(the stub, the application - if you want to give the end-user a

EDNS PING or other entropy enhancing solutions provide benefit to anybody
deploying them, without further work, and require only ADNS and RDNS work.

DNSSEC provides lots of other things beyond entropy of course. 


http://www.PowerDNS.com      Open source, database driven DNS Software 
http://netherlabs.nl              Open and Closed source services

More information about the dns-operations mailing list