Phillip Hallam-Baker wrote:
What Mark is saying here is that DNSSEC is not designed to provide very much security and so does not need to be very secure.
What I'm saying is that plain old DNS is no less secure than DNSSEC.
What I am saying is that people are already assuming that DNSSEC provides a very much higher standard of security and that this is going to lead to new security failures.
Right, people who say "Historic Moment - Root zone of the Internet was just signed minutes ago!!!" are easy victims. > 1) Cancel DNSSEC > > Not happening, move on. The cancellation is not happening primarily because DNSSEC is not really happening. > 3) Design a DNSSEC 2.0 that meets the expectations. > > Which is I think a lot easier than it may appear. All we need is real deployment of DNS with longer message IDs. See my recent (7/13) dnsext mail titled: [dnsext] Extended ID or ask again for details. Masataka Ohta _______________________________________________ Ietf mailing list Ietf@xxxxxxxx https://www.ietf.org/mailman/listinfo/ietf