nanog mailing list archives
Re: Paul Vixie: Re: [dns-operations] DNS issue accidentally leaked?
From: Joe Abley <jabley () ca afilias info>
Date: Thu, 24 Jul 2008 11:13:24 -0400
On 24 Jul 2008, at 10:56, Joe Greco wrote:
MY move? Fine. You asked for it. Had I your clout, I would have used this opportunity to convince all these new agencies that the security of the Internet was at risk, and that getting past the "who holds the keys"for the root zone should be dealt with at a later date. Get the root signed and secured.
Even if that was done today, there would still be a risk of cache poisoning for months and years to come.
You're confusing the short-term and the long-term measures, here.
Get the GTLD's signed and secured.
I encourage you to read some of the paper trail involved with getting ORG signed, something that the current roadmap still doesn't accommodate for the general population of child zones until 2010. It might be illuminating.
Even once everything is signed and working well to the zones that registries are publishing, we need to wait for registrars to offer DNSSEC key management to their customers.
Even once registrars are equipped, we need people who actually host customer zones to sign them, and to acquire operational competence required to do so well.
And even after all this is done, we need a noticeable proportion of the world's caching resolvers to turn on validation, and to keep validation turned on even though the helpdesk phone is ringing off the hook because the people who host the zones your customers are trying to use haven't quite got the hang of DNSSEC yet, and their signatures have all expired.
Compared with the problem of global DNSSEC deployment, getting everybody in the world to patch their resolvers looks easy.
Joe
Current thread:
- Re: Paul Vixie: Re: [dns-operations] DNS issue accidentally leaked?, (continued)
- Re: Paul Vixie: Re: [dns-operations] DNS issue accidentally leaked? Ken A (Jul 24)
- RE: Paul Vixie: Re: [dns-operations] DNS issue accidentally leaked? Scott Berkman (Jul 24)
- RE: Paul Vixie: Re: [dns-operations] DNS issue accidentally leaked? Justin M. Streiner (Jul 24)
- Re: Paul Vixie: Re: [dns-operations] DNS issue accidentally leaked? Nathan Ward (Jul 25)
- Re: Paul Vixie: Re: [dns-operations] DNS issue accidentally leaked? Jay R. Ashworth (Jul 25)
- Message not available
- Re: Paul Vixie: Re: [dns-operations] DNS issue accidentally leaked? Rubens Kuhl Jr. (Jul 24)
- Re: Paul Vixie: Re: [dns-operations] DNS issue accidentally leaked? Hank Nussbacher (Jul 24)
- Re: Paul Vixie: Re: [dns-operations] DNS issue accidentally leaked? Richard Parker (Jul 24)
- Re: Paul Vixie: Re: [dns-operations] DNS issue accidentally leaked? Deepak Jain (Jul 24)
- Re: Paul Vixie: Re: [dns-operations] DNS issue accidentally leaked? Joe Greco (Jul 24)
- Re: Paul Vixie: Re: [dns-operations] DNS issue accidentally leaked? Joe Abley (Jul 24)
- Re: Paul Vixie: Re: [dns-operations] DNS issue accidentally leaked? Joe Greco (Jul 24)
- Re: Paul Vixie: Re: [dns-operations] DNS issue accidentally leaked? Joe Abley (Jul 24)
- Re: Paul Vixie: Re: [dns-operations] DNS issue accidentally leaked? Joe Greco (Jul 24)
- Re: Paul Vixie: Re: [dns-operations] DNS issue accidentally leaked? Jorge Amodio (Jul 24)
- Re: Paul Vixie: Re: [dns-operations] DNS issue accidentally leaked? Laurence F. Sheldon, Jr. (Jul 24)
- Re: Paul Vixie: Re: [dns-operations] DNS issue accidentally leaked? Jorge Amodio (Jul 24)
- Re: Paul Vixie: Re: [dns-operations] DNS issue accidentally leaked? Tuc at T-B-O-H.NET (Jul 24)
- Re: Paul Vixie: Re: [dns-operations] DNS issue accidentally leaked? Tuc at T-B-O-H (Jul 24)
- RE: Paul Vixie: Re: [dns-operations] DNS issue accidentally leaked? marcus.sachs (Jul 24)
- Re: Paul Vixie: Re: [dns-operations] DNS issue accidentally leaked? Greg Skinner (Jul 24)