On Aug 19, 2008, at 9:09 AM, David Ulevitch wrote:
I've yet to be shown how DNSSEC is any of those things. D-H key exchanges, DTLS, DNS PING, all sound far more appealing.
A simple solution that doesn't work always sounds better than a complex solution that does work, particularly if you analyze neither solution deeply enough to understand what each one buys you, and what each one does not buy you.
The question is not, "do you want to implement DNSSEC?" Clearly you don't. It's not "can we use DTLS to protect the last mile in the current DNS model?" Clearly we can, if people want to, and nobody's saying not to do that.
The real question is, "are you harmed if people who *do* see DNSSEC as solving a real need that they have do implement it?" Or perhaps better stated, "should people who need DNSSEC be prevented from implementing for your benefit?"
The answer to that question has to take into account what benefit accrues to you from preventing DNSSEC from being deployed. And that is why David asked the question he asked. What benefit accrues to you from stopping the deployment of DNSSEC?
It's really silly for us to be debating whether or not we personally want to use DNSSEC. If you don't want to use it, don't use it. But I *do* want to use it. And in order for me to use it, the root zone and the TLDs have to start using it. So the question is, is that bad for you for some reason?
_______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
