Looking for dnssec-triggerd alpha testers!
"Jóhann B. Guðmundsson"
johannbg at gmail.com
Wed Sep 21 12:45:11 UTC 2011
On 09/21/2011 10:21 AM, Adam Tkac wrote:
> Another argument for enforcing DNSSEC is that in future (well, I believe
> :) ) DNS will be used as storage for X.509 certs, SSHFP records and
> other stuff. If we adopt "leisure" approach (automatic disabling of
> DNSSEC or ability to "click" somewhere on the applet to disable DNSSEC)
> then we can end in the same situation as we are currently with X.509
> certs. Everyone will simply click on "disable DNSSEC" button or, when
> MITM attack will be in progress, DNSSEC will be automatically disabled.
> This will degrade DNSSEC benefits.
Beside the obvious design flaws in dnssec and in the long run they only
solve a part of the problem how can you even consider removing the
ability for disabling dnssec when implementing and deploying and running
dnssec increases the complexity times hundred and people and isp's alike
cant even implement and properly run a simple dns server as it is now?
More information about the devel