On Fri, May 16, 2014 at 6:41 AM, Ted Lemon <ted.le...@nominum.com> wrote:
> On May 16, 2014, at 8:18 AM, Andrew Sullivan <a...@anvilwalrusden.com> > wrote: > > But it seems to me we ought to > > be more enthusiastic than resigned in this case, even if we have to > > hold our collective nose as well. Either those who understand how the > > DNS works will document what to do, or else people who have no clue > > will make more "improvements". > > The big can of worms to which I was referring in the previous message was > DNSSEC. Deploying CDN functionality with DNSSEC is hard. Not > impossible, but definitely hard. I'm not convinced it's the right way to > solve the problem. But then, I'm not convinced that DNS is the right way > to solve these problems generally, although as you say, those with > operational skin in the game seem to have good reason to have chosen this > solution out of those available. > Just to back that up; DNS tricks do play an important role in keeping the internet robust and healthy. They're a key part of many DDOS mitigation techniques, and network failure mitigation too. In my experience DNS tricks are also much better than the alternative (pure anycast, redirects, etc ..). It is harder to deploy DNSSEC around these tricks, and one must consider that signed answers are replayable across "views" - but it's not that significant in comparison to the overall challenges of deploying DNSSEC at scale. -- Colm
_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
