On 2013-09-04 18:12, Paul Vixie wrote:
how much more money, brains, and time are we going to collectively
waste
on dns (so, a WOMBAT) to solve the problems dnssec solves, rather than
just deploying dnssec? i understood why, during the 2008 summer of
fear,
we had to focus our efforts on source port randomization. but it's 2013
now. unless someone finds a fragmentation-based attack that works on
dnssec, then i think we can safely tell anyone who is worried that
their
authority data or recursive server is vulnerable to fragmentation-based
attacks, that they ought to just deploy dnssec.
Paul,
the problem is that it needs to deployed on both sides otherwise it will
just make things evey worse, so I don't think we can flush this by just
saying "enable DNSSEC now". At least the parties that have some
customers
can't (e.g. registries, registrars, DNS operators). We definitely
should
say "enable DNSSEC" if you want to be protected (and we are saying that
even longer than from summer 2008), but we also need to ensure we do
everything we can to secure those who don't.
O.
_______________________________________________
dns-operations mailing list
[email protected]
https://lists.dns-oarc.net/mailman/listinfo/dns-operations
dns-jobs mailing list
https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
