On 09/21/2011 10:21 AM, Adam Tkac wrote: > Another argument for enforcing DNSSEC is that in future (well, I believe > :) ) DNS will be used as storage for X.509 certs, SSHFP records and > other stuff. If we adopt "leisure" approach (automatic disabling of > DNSSEC or ability to "click" somewhere on the applet to disable DNSSEC) > then we can end in the same situation as we are currently with X.509 > certs. Everyone will simply click on "disable DNSSEC" button or, when > MITM attack will be in progress, DNSSEC will be automatically disabled. > This will degrade DNSSEC benefits.
Beside the obvious design flaws in dnssec and in the long run they only solve a part of the problem how can you even consider removing the ability for disabling dnssec when implementing and deploying and running dnssec increases the complexity times hundred and people and isp's alike cant even implement and properly run a simple dns server as it is now? JBG -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
