On Fri, 26 Nov 2010 18:49:20 +0100 [email protected] wrote: > Fact is if it resolv with +cdflag (checking disable) there is > something wrong with DNSSEC or someone is screwing the result records.
DNSSEC does open you up to far easier DOS attacks (I'm not saying, this case was intentional), Eliptic Curve Crypto may reduce that potential as originally proposed by DNSCURVE, but dnssec does make it very unlikely that your given bogus dns data. With SSHs recent adoption of ECC keys, maybe reducing the scope of this trade-off will happen sooner than I was expecting. Then again the ssh community is far more adaptable/pro-active than the DNSSEC people, even with all that money, or maybe that's part of the problem. I am not happy but I'm still intending to turn on DNSSEC, but it does require monitoring. Here's a quote from one of the original OpenSSH authors that was put on the OpenBSD list about ipv6 (not dnssec but I think it probably applys), which I notice FRLinux should recall. ======================================================================= "shit which comes out of research organizations all tends to suck these days, doesn't it. or perhaps it always did (OSI networking, ipv6, same same). i have theorized in the past that the problem we face is that an insufficient number of axe murderers are attending those kinds of research meetings." ======================================================================= _______________________________________________ Unbound-users mailing list [email protected] http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users
