[dns-operations] summary of recent vulnerabilities in DNS security.

Daniel Kalchev daniel at digsys.bg
Tue Oct 22 11:42:11 UTC 2013

On 22.10.13 12:50, Tony Finch wrote:
> Vernon Schryver <vjs at rhyolite.com> wrote:
>> Have you turned on DNSSEC where you can?  If not, why not?
> Can we have less of the ad hominem please.

I find these questions quite reasonable.

When one claims "DNSSEC is difficult", while other claim it is not, then 
something is wrong. Answering questions like there might help find out 
where the wrong comes from and eventually fix it.

I for one, do not believe DNSSEC is any difficult. I have turned DNSSEC 
wherever I can. It has become easier and easier in the past few years to 
the point I would call deploying DNSSEC today trivial. I have therefore 
changed my stance with people considering DNSSEC deployment from 
"careful, this stuff needs special attention" to "good, encourage those 

See, I can answer such questions. Why can't others?

As for port randomization, etc -- these things will obviously happen. 
But the number of people that need to get involved is very small. These 
people know already what to do and will do it. On the other hand, the 
number of people needed to get involved with proper DNSSEC 
implementation is pretty large -- and this is where we should put our 


More information about the dns-operations mailing list