On Tue, Sep 28, 2010 at 5:27 PM, Mark Andrews <ma...@isc.org> wrote: > > In message > <aanlktinbtpvjlqsl87v5xbd0kh_hn+t1wx2mhdfy2...@mail.gmail.com<aanlktinbtpvjlqsl87v5xbd0kh_hn%2bt1wx2mhdfy2...@mail.gmail.com>>, > Phil > lip Hallam-Baker writes: > > > > The most frustrating part about DNSSEC is that trying to pin down what it > is > > and what it is not, what it is trying to do and what it is not is like > > trying to nail jello to a wall. > > DNSSEC is a tool. It can be used in lots of ways. It can be configured in > lots of ways.
But which of those ways are people prepared to stand behind and for which ones am I going to be told 'we aren't trying to solve that problem'. Which is perfectly possible to do with DNSSEC + TSIG or DNSSEC + SIG(0) or > DNSSEC + GSS-TSIG or DNSSEC + IPSEC or .... That is four different possible ways, none of which I would describe as perfect. In addition there is TKEY + TSIG (RFC2930). This is a standards organization, there is a difference between four possibilities based on existing standards and a 'standard' in my view. We certainly have the basis for developing that type of standard, but to claim that we have one when there a five options and no understanding of the tradeoffs is a little previous in my view. Having looked at deployment of these schemes on a resolver large enough to have a high probability of DNSSEC cache hits, I cannot see a way to make the existing schemes work without making the performance issues of DNSSEC worse, which is not very helpful when you are trying to work out how to minimize the impact of deploying DNSSEC. What I originally said was that I don't regard DNSSEC as appropriate for intra-domain trust. What I did not say is 'broken'. I think that a lot of the limitations people are finding in the DNSSEC model come from the fact that in order to make the best use of information from the DNSSEC it is necessary to have more information available to the client than is available in a single request and response. Once you have the ability to aggregate more information the value of DNSSEC becomes much greater and the probability of providing protection in a real world security context is much greater. As you say, DNSSEC is currently just a tool. Now we have to work out how to make best use of it. -- Website: http://hallambaker.com/
_______________________________________________ Ietf mailing list Ietf@ietf.org https://www.ietf.org/mailman/listinfo/ietf
