> > Why not just turn on DNSSEC? > > Important zones are still unsigned, so I can understand why there is a > desire for altenative solutions.
Right. It isn't like we are lacking for ways to solve the problems we know about. E.g., we know how to mitigate the Kaminsky attack. But, yet, still there are plenty of vulnerable resolvers (per our PAM paper From this past spring). E.g., we know how to secure DNS records with crypto. But, yet, broadly speaking we don't do it. So, perhaps we need to re-think things. allman
pgpaXw4VIMmms.pgp
Description: PGP signature
_______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
