[dns-operations] What would it take...
dougb at dougbarton.us
Wed Mar 11 17:31:22 UTC 2015
On 3/11/15 1:38 AM, Paul Vixie wrote:
>>Tsig won't scale for something like this. Please consider sig0.
Neither solves the problem of authenticating the entity which is sending
the DS update.
The child synchronization draft does a better job, even though I still
don't like that idea either.
I realize that I'm being a curmudgeon here, and that my stance (DNS is
difficult, DNSSEC more so, thus you need to learn how to do them
correctly or suffer the consequences) is not a popular one. But as we
all know security and convenience are two ends of a continuum, and
continuing to erode what little security is provided by DNSSEC
(*cough*negative trust anchors*cough*) is steadily making the effort put
into getting it off the ground meaningless.
More information about the dns-operations