On 2012-04-15 7:04 PM, David Conrad wrote:
> On Apr 15, 2012, at 9:37 AM, Paul Vixie wrote:
>> i'd tell validator operators who think they need NTA's in
>> order to control the risks posed by zone owner errors, "if you can't
>> stand the heat then stay out of the kitchen."
> Given the benefits provided by DNSSEC (to date) are largely invisible and the
> costs quite non-trivial, I'd think this would ensure DNSSEC validation never
> gets deployed, thus secure applications (such as DANE) will never exist.
>
> I thought we'd learned that flag day deployments don't work on the Internet
> anymore.
i thought so too until we had "world ipv6 day" last year. noting that
adding a AAAA record to www.{facebook,yahoo,google}.com has been seen to
hit all kinds of roadblocks due to teredo and other failed tunneling
mechanisms, the only way big companies will feel safe turning it on
(knowing that they'll lose 0.3% of unique eyeballs when they do) is if
they're traveling in a "pack" with other big companies.
so it apparently will be for dnssec. nobody should validate until
everybody validates, because otherwise the failures at the social
security administration or nasa to sign and re-sign their zones, and to
properly maintain the relationship between the keys they use and the DS
RRs their parent zones have for them, will be felt by early adopters.
ipv6 and dnssec both have incredibly strong early adopter penalties:
"you can break me now, or you can break me later." i seek to avoid
legitimizing the aaaa "igor hack" in bind9, and negative trust anchors.
i know that people will do this stuff but i also know that IETF should
not give either one an implicit +1.
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
