David Conrad wrote:
> So far, I have seen what appears to be a lot of FUD from Masataka and
> the usual concerns/complaints about DNSSEC from folks who haven't
> implemented it in their products or services.
Unlike me, you have no implementation expertise.
I did implement server code for my proposal of "Simple Secure
DNS" more than 10 years ago to confirm that, unlike DNSSEC, it can
be implemented easily. From the beginning, I knew it is essentially
(except to support read/write new RR types from/to zone file) less
than 100 lines of modification to BIND and it actually was so.
As a lazy implementor, I can design protocols to avoid useless
implementation efforts. As a faithful protocol designer, I
implement my design to confirm it actually require little
implementation efforts.
At that time, because of fundamental complexity, there was no DNSSEC
implementation.
Thus, I am the implementer who can authoritatively declare that all
the impelementors and system administrators of DNSSEC do not
understand both of DNS and PKI and are brain dead.
I, of course, won't bother to implement proven-to-be-fundamentally-
broken DNSSEC nor join proven-to-be-useless attempts to improve
the proven-to-be-fundamentally-broken protocol.
Anyway, the other problem of DNSSEC is that PKI, as a concept, is
fundamentally broken, against which no PKI protocol can be useful.
Masataka Ohta
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
