On Sat, 7 Sep 2013, Gregory Perry wrote:
Insecure DNS deployments are probably in the top five attack vectors for remotely compromising internal network topologies, even those sporting split DNS configurations. As you were "...deeply involved in the IETF's DNSEXT working group" then I presume you know this.
Correct me if I am wrong, but in my humble opinion the original intent of the DNSSEC framework was to provide for cryptographic authenticity of the Domain Name Service, not for confidentiality (although that would have been a bonus).
Yes that was the original intent, but I remember the reason for optin was that it was impossible to realisticly fit the .com zone in the RAM of modern servers at the time. Also signing would have taken much longer to generate all the NSEC(3) records. In general, the TLDs preferred a phased-in deployment where they could exchange hardware over time. That is what optin offered, at the expense of making spoofing just a tiny bit harder instead of much harder for non-DNSSEC domains. Seems like a normal economical based decision to me. These days, I don't think anyone should still run with opt-in anymore.
There are many different camps within the DoD.
About as many as we have cryptography and cypherpunks mailing lists :P Paul _______________________________________________ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography