[dns-operations] Question to DNSSEC and DLV policy

[Paul Vixie]

> From: Michael Monnerie <michael.monnerie at is.it-management.at>
> To: dns-operations at mail.dns-oarc.net
> Date: Fri, 20 Mar 2009 12:00:50 +0100
> Subject: Re: [dns-operations] Question to DNSSEC and DLV policy
> 
> ...  ATM, it's not really a reasonable decision to use DNSSEC, despite
> just being cool. Almost no resolver uses it, and end users I guess have
> no benefit (there was a discussion once on this list whether firefox acts
> differently on DNSSEC or not). So for the "fun" of testing, DLV would be
> enough for me right now. And we can say "hey, we have DNSSEC, others
> don't". But people won't care anyway ;-)

if you behave as though that statement is true, you will make it true.

there is precious little benefit to being the first to speak a wide area
protocol.  that was true of IPv6, and a long time ago it was true of IPv4,
and a shorter time ago, it was true of HTTP, and later of HTTPS.  it is
true of DNSSEC.

(local area protocols like DHCP and NFS can be far more relevant, earlier,
since the same sysadmin is probably setting up both ends.)

if you deploy DNSSEC and DLV today you will become immune to several kinds
of known wire-level poisoning for others who've deployed DNSSEC and DLV.

but more importantly you will form an installed base that will attract
others who need more motivation than you needed.