[dns-operations] fragile by design? was Re: [Ext] Re: .PL DNSSEC broken again
edward.lewis at icann.org
Tue Jun 18 12:46:38 UTC 2019
On 6/17/19, 15:06, "dns-operations on behalf of Paul Vixie" <dns-operations-bounces at dns-oarc.net on behalf of paul at redbarn.org> wrote:
(To be fair, I'm toying with the wording, not the idea:)
>the purpose of dnssec was to make dns more fragile
Well, not exactly. As was explained to me many years ago:
Any time one takes a currently operating protocol and attempts to secure it by declaring "questionable" protocol states as "invalid" protocol states, brittleness by definition, will be increased (as you reduce the arcs between the states there is a rise in potential [struct *graph-theory] cut points).
The alternative is to re-design the base protocol (upending backwards compatibility). The treatment is to try to maximize the "good" states, or at least make good use of them.
This is not unique to DNS and DNSSEC.
More information about the dns-operations