[dns-operations] summary of recent vulnerabilities in DNS security.
daniel at digsys.bg
Tue Oct 22 11:42:11 UTC 2013
On 22.10.13 12:50, Tony Finch wrote:
> Vernon Schryver <vjs at rhyolite.com> wrote:
>> Have you turned on DNSSEC where you can? If not, why not?
> Can we have less of the ad hominem please.
I find these questions quite reasonable.
When one claims "DNSSEC is difficult", while other claim it is not, then
something is wrong. Answering questions like there might help find out
where the wrong comes from and eventually fix it.
I for one, do not believe DNSSEC is any difficult. I have turned DNSSEC
wherever I can. It has become easier and easier in the past few years to
the point I would call deploying DNSSEC today trivial. I have therefore
changed my stance with people considering DNSSEC deployment from
"careful, this stuff needs special attention" to "good, encourage those
See, I can answer such questions. Why can't others?
As for port randomization, etc -- these things will obviously happen.
But the number of people that need to get involved is very small. These
people know already what to do and will do it. On the other hand, the
number of people needed to get involved with proper DNSSEC
implementation is pretty large -- and this is where we should put our
More information about the dns-operations