Dmitry Burkov wrote: > As you know we have some national regulation in crypto. > To implement DNSSEC we should > or to use GOST (at this moment) and to comply regulations > or to ignore DNSSEC (no comments) > or try to change national laws (also no comments). > If someone can give us an advice - what to do else - you are welcome. Ignore DNSSEC. Technically, it is poorly designed unnecessarily causing a lot of technical problems such as large message sizes. But, the most serious defect of DNSSEC, or PKI in general, is that, despite a lot of hypes, it is not cryptographically secure. Social attacks on trusted third parties makes the parties untrustworthy, which means PKI is merely socially or weakly secure. For security of interdomain routing, social security of trust relationship between ISPs is just enough to which additional social security by PKI is not helpful. For security of DNS, social security of trust relationship between ISPs and between zones are just enough to which additional social security by PKI is not helpful. Masataka Ohta _______________________________________________ Ietf mailing list Ietf@xxxxxxxx https://www.ietf.org/mailman/listinfo/ietf