On Wed, Apr 21, 2021 at 12:56 PM Michael Thomas <m...@mtcc.com> wrote:
> > On 4/21/21 9:46 AM, Lars Eggert wrote: > > > > I also got told that signing a zone is tantamount to "boiling the ocean". > > You're misquoting David. He said: > > > > On 2021-4-20, at 20:20, David Schinazi <dschinazi.i...@gmail.com> wrote: > >> I'm not saying that a 3-packet handshake would be bad, I'm saying > >> that it's not worth boiling the ocean to remove 2 packets. > > Nowhere in that sentence or the rest of David's email do I see any > mention of signing zones. > > > Again, not a topic for *this* mailing list. > > Chrome has already implemented DANE once upon a time. The only thing > left is for Google to DNSSec sign their zone. That's it. If there is > something else, I'm all ears. > It is very rare that I make an assertion on a public mailing list and refer to reasons I am not prepared to discuss in public but I am going to do that on this occasion. There are very good reasons why Google and other large international network service providers should not sign their DNSSEC zones. Securing the Internet is about rather more than securing the Internet.
