DNSSEC is a PKI and running a PKI is never a trivial matter. One of the reasons I have serious concern about the prospects for deployment of DNSSEC is that the answer to many of my questions is either a blank stare, an off the cuff answer clearly made up on the spot or the claim that it is something for the market to decide on. As things stand we have an excellent architecture for securing distribution of DNS A and AAAA records. We are thus confident of our ability to transfer attacks from the DNS system where the effect of attacks is pretty much localized to the BGP system whose fragility was demonstrated only last Friday by RIPE. Is this really progress? Out in Iraq, there is a water treatment plant that cost $110 million to build. So far it has delivered absolutely no clean water to any homes because nobody considered the need to build a pipe to connect the water treatment plant to the city water mains. There is a metaphor there if people want to see it. On Tue, Aug 31, 2010 at 7:07 AM, Richard L. Barnes <rbarnes@xxxxxxx> wrote: > Another view, for the visually inclined: > <http://dnsviz.net/d/iab.org/dnssec/> > > > On Aug 31, 2010, at 2:41 AM, Stephane Bortzmeyer wrote: > >> % check-sig iab.org >> Name iab.org has an expired signature (20100829223019) >> >> :-( >> _______________________________________________ >> Ietf mailing list >> Ietf@xxxxxxxx >> https://www.ietf.org/mailman/listinfo/ietf > > _______________________________________________ > Ietf mailing list > Ietf@xxxxxxxx > https://www.ietf.org/mailman/listinfo/ietf > -- Website: http://hallambaker.com/ _______________________________________________ Ietf mailing list Ietf@xxxxxxxx https://www.ietf.org/mailman/listinfo/ietf