Exponent 3 damage spreads...
Ben Laurie
ben at algroup.co.uk
Mon Sep 11 04:03:07 EDT 2006
James A. Donald wrote:
> --
> James A. Donald wrote:
>> > What is the penetration of Secure DNS?
>
> Ben Laurie wrote:
>> Anyone who is running any vaguely recent version of
>> BIND is DNSSEC enabled, whether they are using it now
>> or not.
>
> I am not well informed about DNSSEC, but I am under the
> impression that:
>
> 1. Actually using DNSSEC is a major performance hit.
No more than using SSL. Well, not much more :-)
> 2. Actually using DNSSEC requires manual secure master
> public key distribution, which people are disinclined
> to do, and which may not scale very well, unless
> unspecified institutions and arrangements are put in
> place.
Key distribution is, indeed, an open question. Certainly manual key
distribution is not a solution.
> 3. No one actually uses DNSSEC in the wild.
I don't know whether this is true or not. Finding out what people do and
don't do with DNS is hard.
> Please advice me if these impressions are wrong, or have
> become outdated.
>
> I realize that I sound like a cold wet sponge with a non
> stop stream of unpleasantly negative posts, but one of
> the reasons that cryptography is not widely used is that
> the various standards, processes, and tools are not in
> fact very usable.
Doesn't bother me any, its just that I happen to have done work on
DNSSEC, so I figured I should alert those who care to the problem.
> Implementing protocols requires widespread consensus,
> but when too many people show at a meeting then either
> nothing gets done, or the outcome is extremely stupid,
> or both, and anyone who points to big problems in what
> is being done is dismissed as out of order or off topic
> in order to create the semblance of progress, with the
> result that what little progress occurs is usually in
> the wrong direction.
That seems a rather harsh judgement of a working group you say you're
not informed about.
Not that I totally disagree: the work I did on DNSSEC was initially
dismissed as out of order and off topic, and it took a lot of effort to
get people to accept that the problem was genuine. :-)
Cheers,
Ben.
--
http://www.apache-ssl.org/ben.html http://www.links.org/
"There is no limit to what a man can do or how far he can go if he
doesn't mind who gets the credit." - Robert Woodruff
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list