Danny, On Wed, Nov 26, 2008 at 10:44 PM, Danny Younger <dannyyounger@yahoo.com> wrote:
Patrick,
There are issues raised by the author of this comment that can only reasonably be assessed by other competent engineers (and I am not an engineer), so I am not looking for an assessment as to whether this engineer is a troll or not, but to know if his comments are reasonable when evaluated as engineering concerns by other engineers.
The comments made under the heading "DNSSEC Suicide" could be viewed by most laymen as more than somewhat disconcerting. Is there merit in his argument, or not?
Here are his objections: 1. DNSSEC does not secure DNS services to any reasonable expectation of security, DNSSEC is not a panacea, it only does a specific thing, and only does that thing if all configs are done correctly. It's a specific reaction to a specific set of threats. 2. Deployment of DNSSEC on Root servers enables new DNS Amplification Attacks which cannot be easily mitigated but they can be mitigated, it's a showstopper for him, but seemingly not for the IETF et.al. 3. Trust and confidence in DNSSEC is misplaced because critics have been silenced and many problems have not been addressed. the problems in designing the spec have been many and varied, addressing them has been the main reason it's taken ~10 years for DNSSEC to evolve into it's present form. Is it possible to miscofigure DNSSEC so that your effectively offline..yes, that the design. That doesn't mean it can't or shouldn't be deployed, it just means that care needs to be taken when implementing it DNSSEC is going to be hard to deploy globally...on a similar scale to IPv6. It's not a point and click kind of thing like an Antivirus program. If he has a better plan to provide a layer of security to DNS queries and replies, i haven't heard it. -- Cheers, McTim http://stateoftheinternetin.ug