James A. Donald wrote:
> > What is the penetration of Secure DNS?

Ben Laurie wrote:
> Anyone who is running any vaguely recent version of
> BIND is DNSSEC enabled, whether they are using it now
> or not.

I am not well informed about DNSSEC, but I am under the
impression that:

1.  Actually using DNSSEC is a major performance hit.

2.  Actually using DNSSEC requires manual secure master
public key distribution, which  people are disinclined
to do, and which may not scale very well, unless
unspecified institutions and arrangements are put in

3.  No one actually uses DNSSEC in the wild.

Please advice me if these impressions are wrong, or have
become outdated.

I realize that I sound like a cold wet sponge with a non
stop stream of unpleasantly negative posts, but one of
the reasons that cryptography is not widely used is that
the various standards, processes, and tools are not in
fact very usable.

Implementing protocols requires widespread consensus,
but when too many people show at a meeting then either
nothing gets done, or the outcome is extremely stupid,
or both, and anyone who points to big problems in what
is being done is dismissed as out of order or off topic
in order to create the semblance of progress, with the
result that what little progress occurs is usually in
the wrong direction.

         James A. Donald

The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Reply via email to