[dns-operations] Is DNSSEC causing more problems than it solves.

Paul Vixie paul at redbarn.org
Tue Feb 23 15:38:02 UTC 2016



Brett wrote:
> Note the subject is from the article and of course not my opinion.
>
> Thought some of you might find this (and the linked documents and blog
> posts) interesting.

marie already linked my previously expressed views into this thread, so 
let me add something new:

>
> http://www.theregister.co.uk/2016/02/23/dnssec_more_problem_than_solution/
>

if the ultimate benefit of dnssec is JUST and ONLY to allow caching 
recursives to detect and reject end to end tampering, then that good is 
not as large as the risk and cost of deploying dnssec.

however, the end game here is dnssec-aware applications, like DANE. and 
that outcome is well worth all known and imaginable risks and costs of 
deploying dnssec.

so, the headline above could be true, "from a certain point of view."

-- 
P Vixie


More information about the dns-operations mailing list