Accroding to your description, I feel that IPv6 has better chance to win than its "brother" DNSSEC. LoL
On 16 August 2017 at 14:48, Mukund Sivaraman <[email protected]> wrote: > On Wed, Aug 16, 2017 at 08:21:37AM +0200, Mikael Abrahamsson wrote: > > On Wed, 16 Aug 2017, Mukund Sivaraman wrote: > > > > > 24 / 500 top domains (4.8%) > > > 20548 / 1 million top domains (2.05%) > > > > > > (12 years after introduction of 403{3,4,5}) > > > > https://stats.labs.apnic.net/dnssec/XE?o=cXAw1x1g1r1 > > > > 20% of European users is behind a validating resolver, in some countries > > it's 70% plus. > > > > So this is now happening, albeit at a not high enough pace. But at least > > it's going in the right direction, and I do believe that there is enough > > people behind validating resolvers that people can't mess up signing > their > > zone and push away blame on who needs to fix things. > > > > So at least there is benefit in signing your zone now, there wasn't as > much > > before when nobody was validating. > > The validating resolver is half of the system. > > DNSSEC is brittle. It has an all-or-nothing behavior (that's what it was > designed for) that many businesses cannot afford to bank on if something > were to go wrong. An administrative error or signer software bug on the > authoritative side can take the whole zone down and every service with > it (as DNS is at the head of network activity). Software is still not > perfect, so I don't know how this can change - I see practical signer > bugs still that take down the zone entirely. It's also still painfully > inconvenient to update parent zones, that makes fixing mishaps > difficult. The amount of damage that a break in DNSSEC validation chain > could do is far greater than other implementations of crypto such as TLS > where it is limited to a service. > > (Note that I'm not advocating against DNSSEC, as much as this email may > sound so. The things I mention are practical issues that I see as an > implementor.) > > A colleague says "If TLD’s allowed UPDATE messages to be processed most > of the issues with DNSSEC would go away. At the moment we have a whole > series of kludges because people are scared of signed update messages." > > Mukund > > _______________________________________________ > DNSOP mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/dnsop >
_______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
