Looking for dnssec-triggerd alpha testers!

"Jóhann B. Guðmundsson" johannbg at gmail.com
Wed Sep 21 12:45:11 UTC 2011

On 09/21/2011 10:21 AM, Adam Tkac wrote:
> Another argument for enforcing DNSSEC is that in future (well, I believe
> :)  ) DNS will be used as storage for X.509 certs, SSHFP records and
> other stuff. If we adopt "leisure" approach (automatic disabling of
> DNSSEC or ability to "click" somewhere on the applet to disable DNSSEC)
> then we can end in the same situation as we are currently with X.509
> certs. Everyone will simply click on "disable DNSSEC" button or, when
> MITM attack will be in progress, DNSSEC will be automatically disabled.
> This will degrade DNSSEC benefits.

Beside the obvious design flaws in dnssec and in the long run they only 
solve a part of the problem how can you even consider removing the 
ability for disabling dnssec when implementing and deploying and running 
dnssec increases the complexity times hundred and people and isp's alike 
cant even implement and properly run a simple dns server as it is now?


More information about the devel mailing list