DNSSEC, a cryptographic version of DNS, has been in development since 1993 but is still not operational.
It seems that Mr. Bernstein also suffers from the "America is the not the world" syndrome.
Bernstein said that DNSSEC offers "a surprisingly low level of security" while causing severe problems for DNS reliability and performance.
Let's not argue about the subjective "suprisingly". But what is this "low level of security"? Is a fully trusted path 'low level'? If so, what is 'high level'?
"We need to stop wasting time on breakable patches," Bernstein said. He called for development of DNSSEC alternatives that quickly and securely reject every forged DNS packet.
This statement even goes so far as to suggest DNSSEC is a "breakable patch" In general, for all those people who claim DNSSEC is not the solution, I have a few questions 1) What is more broken with DNSSEC then on DNS? 2) If DNSSEC is flawed, where is a better alternative? Without answering those questions, you can't really reject DNSSEC over the alternative of keeping to run DNS as we have so far. Paul _______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
