[dns-operations] What would it take...

Doug Barton dougb at dougbarton.us
Wed Mar 11 17:31:22 UTC 2015

On 3/11/15 1:38 AM, Paul Vixie wrote:
>>Tsig won't scale for something like this. Please consider sig0.

Neither solves the problem of authenticating the entity which is sending 
the DS update.

The child synchronization draft does a better job, even though I still 
don't like that idea either.

I realize that I'm being a curmudgeon here, and that my stance (DNS is 
difficult, DNSSEC more so, thus you need to learn how to do them 
correctly or suffer the consequences) is not a popular one. But as we 
all know security and convenience are two ends of a continuum, and 
continuing to erode what little security is provided by DNSSEC 
(*cough*negative trust anchors*cough*) is steadily making the effort put 
into getting it off the ground meaningless.


More information about the dns-operations mailing list