more ad hominem and irrelevant comparisons. The key point is choice. Just as some people CHOOSE to install products such as Norton Anti-Virus that stop certain applications running on their machine, the typical Internet user should probably CHOOSE to use a DNS service that has the known crimeware sites eliminated. The point is that the particular obsession with 'end to end' solutions means that we loose the ability to deploy architectures that provide greater protection against the attacks that actually matter. DNS hijacking is a very rare type of attack. Securing the mapping of DNS names to IP addresses will not provide a major reduction in expected losses due to attacks. We already have domain validated SSL certificates that meet that need quite adequately. The value in DNSSEC lies in being able to establish a coherent network based system of security policy distribution. On Thu, Feb 18, 2010 at 7:41 PM, Paul Wouters <paul@xxxxxxxxxxxxx> wrote: > On Thu, 18 Feb 2010, Phillip Hallam-Baker wrote: > >> The point is not to protect the DNS. The point is to protect the >> people. And that means that maybe you don't want your machine to >> resolve every domain name. > > That sounds very much like the tapping/crypto debate. "You may not > secure your communications because we're using its weaknesses for your > protection". > > Not securing DNS because some people are using it for something completely > different, namely a filtering service, is not an acceptable solution. > > But besides that, services like opendns can still fetch and validate DNS, > and then continue strip it and rewrite it for those endusers that prefer > such a service. DNSSEC does not change that at all. > > Paul > -- -- New Website: http://hallambaker.com/ View Quantum of Stupid podcasts, Tuesday and Thursday each week, http://quantumofstupid.com/ _______________________________________________ Ietf mailing list Ietf@xxxxxxxx https://www.ietf.org/mailman/listinfo/ietf