On Thu, 18 Feb 2010, Phillip Hallam-Baker wrote:
The key point is choice. Just as some people CHOOSE to install products such as Norton Anti-Virus that stop certain applications running on their machine, the typical Internet user should probably CHOOSE to use a DNS service that has the known crimeware sites eliminated.
Should they also CHOOSE for a porn filter. And a filter on politically sensitive words? Where does our job end to let the user CHOOSE their censorship? And again, you make it sound like DNSSEC is taking away that choice, which is clearly not the case.
The point is that the particular obsession with 'end to end' solutions means that we loose the ability to deploy architectures that provide greater protection against the attacks that actually matter.
It prevents hacking the protocol (for good AND for evil). And that is a good thing.
DNS hijacking is a very rare type of attack.
No it is not. It depends on your environment. I'll grant you that its more likely you'll end up on a phising side then caught in a DNS spoof, but that does not validate your opinion of not rolling out stronger security just so people can play games with protocols. And as Mark showed, there are legitimate ways of piggypacking filtering services with DNS using EDNS options.
Securing the mapping of DNS names to IP addresses will not provide a major reduction in expected losses due to attacks.
It will greatly improve security by providing a hierarchical distributed signed database. You will see many new applications leveling this new option.
We already have domain validated SSL certificates that meet that need quite adequately.
You haven't been around in the last year? When we had SSL attack after SSL attack? A 2 second email verification for a "valid for the entire world" certificate is not what I would call "quite adequately".
The value in DNSSEC lies in being able to establish a coherent network based system of security policy distribution.
Sorry, I am not sure what this means. But if it is another application of distributed signed data, then yes, it is another case for the adoption of DNSSEC, not for critisism that it would block some filtering technique, which it doesn't) Paul _______________________________________________ Ietf mailing list Ietf@xxxxxxxx https://www.ietf.org/mailman/listinfo/ietf