On Apr 30, 2014, at 12:08 PM, Dan York <[email protected]> wrote: >> There have been a number of people who have offered opinions in this area, >> and none so far have pointed to a technology issue as holding up deployment. >> Far from it, there seems to be advances in many area. This all seems >> goodness. > > Yes, for the most part the issues holding up DNSSEC deployment are NOT > technology-related. That said, there *are* some remaining technology issues > that do cause problems, most notably the key rollover issue being discussed > in multiple drafts within DNSOP right now. Additionally, while we have come > far in automation, there are still ways we could make the DNSSEC signing > process even easier for smaller and less tech-savvy users. > > But overall the technology behind DNSSEC is very solid and is not the > deployment challenge.
There is one key problem with DNSSEC to the user's system: 1%+ of the network rejects it, because the user is behind a device which blocks 3rd-party DNS requests and forces all requests through a non-DNSSEC-supporting recursive resolver. This means that any protocol which uses DNSSEC to distribute key material needs an alternate mechanism to transmit the DNSSEC information to the client. -- Nicholas Weaver it is a tale, told by an idiot, [email protected] full of sound and fury, 510-666-2903 .signifying nothing PGP: http://www1.icsi.berkeley.edu/~nweaver/data/nweaver_pub.asc
signature.asc
Description: Message signed with OpenPGP using GPGMail
_______________________________________________ perpass mailing list [email protected] https://www.ietf.org/mailman/listinfo/perpass
