Rip
> > > as dnssec is finally approaching deployment, it seems
> > > imprudent to rush into a not obviously critical anycast
> > > deployment when a little patience would seem harmless.
>
> > DNSSEC, or any CA-based security, is not really secure and is
> > undeployable for any practical security.
>
> With all due respect, you've made such claims/statements on
> the list before,
And the only counter argument was:
My teacher taught me differently, I think.
> Please feel free to back up that opinion
> with fact, or don't waste peoples' time with it.
If security is compromized, who pays how much?
Have you ever checked the reality of terms and conditions of CAs?
> Better yet,
> if you think things are slightly broken then propose a fix.
> If you think things are *very* broken then propose a workable
> alternative and explain why things are so broken.
The current DNS is working well with weak security replying on
ISPs.
Those who need additional security should share a secret end to end
without introducing intellignet intermediate entities of CAs.
So, I don't think I have to propose a workable alternative.
Nonetheless, I proposed anycast root, which improves security against
spoofed route.
On the other hand, DNSSEC is unworkable as evidenced by the failed
deployment attempt for so many years.
Observing the failure, I gave an explanation why it is hopeless.
Masataka Ohta
#----------------------------------------------------------------------
# To unsubscripbe, send a message to <[EMAIL PROTECTED]>.
