[dns-operations] Where to find "DNS resolution path corruption"?

Lutz Donnerhacke lutz at iks-jena.de
Wed Feb 20 08:36:15 UTC 2008


* k claffy wrote:
> you folks are making a really strong argument 
> that 'dnssec does not solve the real problem'.. 

There is no technical solution to the social problem, that people leave the
control of their systems to other people.

DNSSEC has advantages:

  for admins     centralize public key handling (i.e. SSH)
                 obtain clear diagnostic information instead of nxdomain
		     
  for managers   be outstanding innovative (using 10 years old technology)
                 secure the own domain from theft and pharming
		     
  for customers  if it works, everything is ok
                 if it don't work, the ISP defeated an attack

DNSSEC has disadvantages:

  for admin      more work, more to read, new pitfalls to debug
                 update tools (maintainer has left the company years ago)
  
  for managers   if something goes wrong, the whole domain is dead for days

  for customers  this fucking ISP isn't able to provide Internet

Did I miss something?



More information about the dns-operations mailing list