On Apr 29, 2006, at 9:40 PM, [EMAIL PROTECTED] wrote:
I heard about DNSSEC 5 years ago. It is really frustrating that everyone knows how to fix/improve DNS but years/decades may pass before improvements actually get implemented. Tim Berns-Lee, father of web, calls DNS the 'Achille's heal' of the Web. Makes sense to me.
It's a very simple answer to "why": inertia.Ask around, and most people will merely shrug their shoulders and say "Eh, it works well enough." I haven't really read up on DNSSEC, but I don't really imagine it's all that _hard_ to implement on a recent version of BIND. Last I looked, DJB refused to implement DNSSEC because it is, in his eyes, horridly broken and not really a fix for the problem, and I hate to admit it, but I kind of see his point. (not that I necessarily agree with him.) :)
Likewise, how hard would it be to do DNS-over-SSL for zone transfers (which usually end up going over TCP anyway due to zones generally not fitting inside a single UDP packet)?
It's not done because the current system works "well enough" for most people, so they don't pressure their IT depts. or ISPs to move to the "better" solution.
Kind of like SPF and the other "sender verification" mechanisms to help fight spam. Who actually uses it?
Gregory -- Gregory K. Ruiz-Ade <[EMAIL PROTECTED]> OpenPGP Key ID: EAF4844B keyserver: pgpkeys.mit.edu
PGP.sig
Description: This is a digitally signed message part
-- [email protected] http://www.kernel-panic.org/cgi-bin/mailman/listinfo/kplug-list
