[dns-operations] security-aware stub resolver

Edward Lewis Ed.Lewis at neustar.biz
Fri May 23 14:14:13 UTC 2008

At 5:19 +0200 5/23/08, Patrik Fältström wrote:

While you are correct that we need to step up 
security as the environment is not so trustable...

>We need any security
>mechanism we have, specifically validation mechanisms.

I don't agree that "we need any security" we can 
get.  E.g., there's not much need for TSIG if you 
are already performing zone updates over a VPN. 
Quoting a boss on this "that's like wearing a 
belt *and* suspenders."  Security tools ought to 
be applied appropriately, in ways that address 
threats, vulnerabilities and risks.  If we apply 
too many security mechanisms we might make the 
system too complicated to know if it is operating 
properly (among other problems).
Edward Lewis                                                +1-571-434-5468

Never confuse activity with progress.  Activity pays more.

More information about the dns-operations mailing list