On Sun, Oct 20, 2013 at 6:33 PM, Vernon Schryver <v...@rhyolite.com> wrote: >> From: Haya Shulman <haya.shul...@gmail.com> > >> I was under pressure to catch a flight when I responded and forgot DNSSEC; >> it is as dear to me as it is to you :-) > > I'm sorry, but I think the mention of DNSSEC in your paper exists only > because others forced it.
Is it really necessary to make an accusation like this? Haya's research seems very detailed and uncovers some vulnerabilities that escaped many of us over the years. Haya's clearly aware of DNSSEC and it's been called out as a mitigation in every one of the papers I've read. You write as if Haya has an agenda to undermine DNSSEC, but all I see is unbiased factual statements in the papers. It's a complicated story to tell and it doesn't make for clear straightforward advice; for the forseeable future deploying DNSSEC on the auth side makes you more vulnerable, as there are still more non-validating resolvers than there are validating ones. But then complete deployment of DNSSEC on the resolver side would make everything better again. It's hard to ethically advise someone that they should stick their neck out for deferred benefit of everyone else. -- Colm _______________________________________________ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs