Re: [DNSOP] A different question (was Re: Kaminsky on djbdns bugs (fwd))

Tue, 19 Aug 2008 10:37:06 -0700 

Andrew,

On Aug 19, 2008, at 5:55 AM, Andrew Sullivan wrote:

If some technology is going to be deployed, there is generally a
business reason for that to happen.


This is also true, but in my experience one of those business reasons
is, depressingly often, "This is the Current Thinking I read in
_Network World_.

...

Those companies will never look at
the technology again, whatever the business reason is.  "Too risky.
It doesn't work.  It breaks things."



I long ago gave up fighting against the market for what I felt was  
'the right thing' in Internet technology.  If a sufficient portion of  
the market decides DNSSEC is too risky or it doesn't work or it breaks  
things, so be it.  Trust me when I say it is not something I will lose  
sleep over.



The reason for my earlier question is that I believe that there is  
sufficient interest in getting the root signed by folks who have  
interest in DNSSEC for it to actually happen.  If signing the root  
were to have a significant and direct negative impact on folks who  
consider DNSSEC a fool's errand then it would argue strongly against  
signing the root. However, lacking that and since the only folks that  
will experience the joys of DNSSEC should be those who explicitly  
configure it, it would seem the harm done by signing the root would be  
minimal.



So far, I have seen what appears to be a lot of FUD from Masataka and  
the usual concerns/complaints about DNSSEC from folks who haven't  
implemented it in their products or services.  Peter Koch did provide  
an interesting data point that warrants further investigation (20-35%  
of queries having DO bit on seems a bit high to me) and someone else  
responded privately that signing the root could impact the root  
servers due to an increase in the number of TCP connections caused by  
folks who turn on DNSSEC but pretty much everyone else who has  
responded said they see no problems.



I suspect the question as to what will break if the root is signed  
will be asked in "venues that matter" in the near future.  It would be  
nice to have an answer, or at least an idea of what to look for,  
before hand.


Regards,
-drc

_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop





























					Reply via email to