On Aug 13, 2008, at 10:28 PM, Masataka Ohta wrote:
I presented the real-world statistical data to support my claim
that DNSSEC requires to much work. That is, it is hardly deployed
because it requires to much work.
I must have missed that message.
Does your personal experience have any
I presented the real-world statistical data to support my claim
that DNSSEC requires to much work. That is, it is hardly deployed
because it requires to much work.
The reason it's hardly deployed is that people don't see the point. COM
and the root zone aren't signed, so there's no perceived
On Aug 13, 2008, at 4:04 AM, Masataka Ohta wrote:
Maybe, Ted could provide some virtual-world data realistic enough to
deny the real-world statistical data such as:
djb Last week's surveys by the DNSSEC developers (SecSpider) have
found a
djb grand total of 99 signed dot-com names out of the
On Aug 13, 2008, at 10:21 AM, Ralf Weber wrote:
Hmm, assuming that we both did use the same name server software my
experiences are different. Compared to regular DNS setting up and more
importantly maintaining DNSSEC is much more work than normal DNS stuff
(zone resigning, key rollover) .
On Wed, 13 Aug 2008 19:21:44 +0200, Ralf Weber [EMAIL PROTECTED] said:
RW Hmm, assuming that we both did use the same name server software my
RW experiences are different. Compared to regular DNS setting up and more
RW importantly maintaining DNSSEC is much more work than normal DNS stuff
RW
Ted Lemon wrote:
No, Ohta-san. It _is_ more secure. Security is relative, not
absolute.
Are you really talking about relative security?
If you are talking about security relative to the amount of
operational effort (that is, money!!!), PODS is definitly
more secure than DNSSEC.
[no hat]
On Tue, Aug 12, 2008 at 12:00:09PM +0900, Masataka Ohta wrote:
Social implementations of DNSSEC may be (or, considering its complexity,
will always be) vulnerable to tampering from any person.
This seems like a strong claim. Are you really just claiming that,
because humans are
On Aug 11, 2008, at 11:00 PM, Masataka Ohta wrote:
If you are talking about security relative to the amount of
operational effort (that is, money!!!), PODS is definitly
more secure than DNSSEC.
I think if you were to try to explain this by presenting real-world
statistical data to support
This message seems to answer many of the questions over the last few
days.
--
Av8 Internet Prepared to pay a premium for better service?
www.av8.net faster, more reliable, better service
617 344 9000
-- Forwarded message --
Date: 10 Aug 2008 00:28:22 -
From:
On Mon, 11 Aug 2008, Paul Wouters wrote:
[Paul Wouters is a frequent NANOG poster.]
DNSSEC has been deployed on large scale by some TLD's and RIR's already.
It is very much operational.
Not very much--99 domains out of 70 million in .com.
Your argument would be stronger if you identified
On Tue, 12 Aug 2008, Mark Andrews wrote:
TCP, port randomisation, 0x20, EDNS PING etc. all leave gapping holes
in the security model which are being exploited today.
I don't know of any TCP exploits today. Though TCP is not secure against
anyone in the path of the packets, its pretty
On 12 Aug 2008, at 14:50, Dean Anderson wrote:
On Tue, 12 Aug 2008, Mark Andrews wrote:
TCP, port randomisation, 0x20, EDNS PING etc. all leave gapping holes
in the security model which are being exploited today.
I don't know of any TCP exploits today.
Imagine being able to intercept
the fact that masataka's proposal seemed qualitatively better to me eleven
years ago is moot. the reason dnssec isn't deployed yet has nothing to do
with any such qualitative differences. we are where we are, and what we've
got to do now is deploy what we've got now. the dnssec spec at present
On Sat, 9 Aug 2008, Paul Wouters wrote:
DNSSEC, a cryptographic version of DNS, has been in development since
1993 but is still not operational.
It seems that Mr. Bernstein also suffers from the America is the not the
world syndrome.
???
Bernstein said that DNSSEC offers a
Dean Anderson wrote:
1) What is more broken with DNSSEC then on DNS?
DNSSEC is, socially, more dangerous than PODS, because DNSSEC gives
users false sense of security.
The question really should be 'What is LESS broken with DNSSEC than with
DNS?' Equally broken is bad, too. 'More broken' is
Dean Anderson wrote:
1) What is more broken with DNSSEC then on DNS?
DNSSEC is, socially, more dangerous than PODS, because DNSSEC gives
users false sense of security.
The question really should be 'What is LESS broken with DNSSEC than with
DNS?' Equally broken is bad, too. 'More
To break DNSSEC, a phishing site pretending as your parent CA and
requesting you enter your private key is often enough.
Which like most things to do with security is a matter of
education.
To which I should have added. With DNSSEC you *never* need
to
Mark Andrews wrote:
DNSSEC is, socially, more dangerous than PODS, because DNSSEC gives
users false sense of security.
You already have to trust your parents to publish your
delegating NS RRset.
So, technically, DNSSEC is no worse but no better than PODS.
That is, WG discussion
On Aug 11, 2008, at 6:34 PM, Masataka Ohta wrote:
DNSSEC is, socially, more dangerous than PODS, because DNSSEC gives
users false sense of security.
The average user has a false sense of security completely independent
of what the underlying protocol is. So what matters is not what
sense
Ted Lemon wrote:
DNSSEC is, socially, more dangerous than PODS, because DNSSEC gives
users false sense of security.
So what matters is not what sense of security the user has, but
what actual security the user has.
The false sense of security makes people unconditionary accept DNS
result.
On Aug 11, 2008, at 8:36 PM, Masataka Ohta wrote:
How can you explain the evidence that many people here think DNSSEC
more secure than PODS merely because it is called DNSSEC?
Are they less-than-average users?
No, Ohta-san. It _is_ more secure. Security is relative, not
absolute. You
On Sat, Aug 09, 2008 at 04:33:55PM -0400, Paul Wouters wrote:
In general, for all those people who claim DNSSEC is not the solution, I
have a few questions
1) What is more broken with DNSSEC then on DNS?
2) If DNSSEC is flawed, where is a better alternative?
An alternative was proposed by
Tony Finch wrote:
On Sun, 10 Aug 2008, Ted Lemon wrote:
Paul's comment (the first of the three articles you quoted) implies that
secure NXDOMAIN is not a feature of Ohta-san's proposal. That seems like a
bit of a problem, because fake domains are definitely a useful phishing tool.
As far as
On Sun, 10 Aug 2008, Ben Laurie wrote:
Tony Finch wrote:
On Sun, 10 Aug 2008, Ted Lemon wrote:
Paul's comment (the first of the three articles you quoted) implies
that secure NXDOMAIN is not a feature of Ohta-san's proposal. That
seems like a bit of a problem, because fake domains
DNSSEC, a cryptographic version of DNS, has been in development since
1993 but is still not operational.
It seems that Mr. Bernstein also suffers from the America is the not the
world syndrome.
Bernstein said that DNSSEC offers a surprisingly low level of security
while causing severe
FYI: It would be nice if someone could repost this the namedroppers.
This might inform some of the discussion going on there. Both DJB and I
have problems posting to namedroppers for basically the same
reasons---opposing the BIND cartel. However, getting this information
distributed seems to be
26 matches
Mail list logo
