On Sat, Oct 27, 2012 at 11:43:40PM -0700, David Conrad wrote: > > It appears that source port randomization works. > > Was there ever any doubt? The question wasn't (isn't?) whether source
Yes, people used the Kaminsky hack as a way to push DNSSEC. So perhaps doubt was *instilled*. > making the communication channel irrelevant. IMHO, it is a better > long-term solution (folks who know my opinion on DNSSEC may now require > smelling salts). As an implementor, after two years, we keep finding DNSSEC corner cases that make the authors of the very RFCs swoon. The effort of implementing everything correctly is just staggering, our number of regression tests is exploding just to try to keep everything in check. It might have been easier all round to just start from scratch and not pretend that this is 'an enhancement of DNS'. The length of the DNSSEC RFCs exceeds the length of the standardizing RFCs of DNS. By the way, I know some people will immediately chime in DNSSEC isn't that hard, but you won't hear an implementor among them... Bert _______________________________________________ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs