Mukund Sivaraman <m...@isc.org>于2017年8月16日周三 下午1:45写道:
> On Fri, Aug 11, 2017 at 10:39:50AM -0400, Matthew Pounsett wrote: > > It sounds like you're assuming that SWILD would be supported by caching > > servers that do not support DNSSEC or NSEC aggressive use. Why do you > > expect implementers would adopt SWILD before adopting these much older > > features? > > (Without commenting about SWILD) > > It does not have to be due to implementation support alone. Many > operators stick to unsigned zones. There are many reasons, some of which > I'd mentioned in the unsigned NSEC thread. Resolvers have to deal with > cache pollution and unnecessary upstream queries, but they have no > control over whether the authoritative zones are signed. > > 2 mails up this thread, there is a comment about "New features are > provided only by the latest version of the protocol." This seems to mix > unrelated things together. The latest version of DNS (if there's such a > thing) doesn't mandate operational use of DNSSEC. Use of unsigned zones > is not obsolete and may well outlive us. Most zones today are unsigned > and a carrot like NSEC agressive use is unlikely to change the level of > adoption of DNSSEC significantly. > +1 DNS Poison Attack risk such as Brazilian Bank Targeted By Phishing Site And DNS Poisoning <https://www.zscaler.com/blogs/research/brazilian-bank-targeted-phishing-site-and-dns-poisoning>is the greatest motivation to deploy DNSSEC. > > Alexa Top domains and DNSSEC: > > 24 / 500 top domains (4.8%) > 20548 / 1 million top domains (2.05%) > > (12 years after introduction of 403{3,4,5}) > > Mukund > -- 致礼 Best Regards 潘蓝兰 Pan Lanlan
_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop