James A. Donald wrote: > -- > James A. Donald wrote: >> > What is the penetration of Secure DNS? > > Ben Laurie wrote: >> Anyone who is running any vaguely recent version of >> BIND is DNSSEC enabled, whether they are using it now >> or not. > > I am not well informed about DNSSEC, but I am under the > impression that: > > 1. Actually using DNSSEC is a major performance hit.
No more than using SSL. Well, not much more :-) > 2. Actually using DNSSEC requires manual secure master > public key distribution, which people are disinclined > to do, and which may not scale very well, unless > unspecified institutions and arrangements are put in > place. Key distribution is, indeed, an open question. Certainly manual key distribution is not a solution. > 3. No one actually uses DNSSEC in the wild. I don't know whether this is true or not. Finding out what people do and don't do with DNS is hard. > Please advice me if these impressions are wrong, or have > become outdated. > > I realize that I sound like a cold wet sponge with a non > stop stream of unpleasantly negative posts, but one of > the reasons that cryptography is not widely used is that > the various standards, processes, and tools are not in > fact very usable. Doesn't bother me any, its just that I happen to have done work on DNSSEC, so I figured I should alert those who care to the problem. > Implementing protocols requires widespread consensus, > but when too many people show at a meeting then either > nothing gets done, or the outcome is extremely stupid, > or both, and anyone who points to big problems in what > is being done is dismissed as out of order or off topic > in order to create the semblance of progress, with the > result that what little progress occurs is usually in > the wrong direction. That seems a rather harsh judgement of a working group you say you're not informed about. Not that I totally disagree: the work I did on DNSSEC was initially dismissed as out of order and off topic, and it took a lot of effort to get people to accept that the problem was genuine. :-) Cheers, Ben. -- http://www.apache-ssl.org/ben.html http://www.links.org/ "There is no limit to what a man can do or how far he can go if he doesn't mind who gets the credit." - Robert Woodruff --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]