On Aug 17, 2008, at 4:12 PM, Dean Anderson wrote:
Changing DNS protocol is considered by many to be expensive and risky.
Are you saying its not expensive or risky? That seems to be a far
more
bold assertion.
Actually, you and Ohta-san seem to be taking that position. That's
not "many." I just deployed DNSSEC. My servers are ticking over
happily, and I haven't had any complaints from users. So I guess I
don't think it's all that risky, no. It may be that I'm wrong, but
you haven't said anything surprising yet, so I'm still waiting for the
revelation that will convince me that your fears are justified.
However, misplaced trust attacks can only be avoided by preventing the
sending of trusted information to untrusted sites. Solve this problem
correctly (which is entirely doable) and none of these attacks will be
effective at obtaining trusted information.
Forgive me for pointing this out, but about three exchanges ago you
said that solving this problem was provably impossible. Have you
changed your mind, or am I missing something?
_______________________________________________
DNSOP mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dnsop
