IETF Logo Mail Archive

Re: How do we get the whole world to upgrade to DNSSEC capable resolvers?

Mark Andrews <Mark_Andrews@isc.org> Tue, 12 August 2008 22:49 UTC

Return-Path: <owner-namedroppers@ops.ietf.org>
X-Original-To: ietfarch-dnsext-archive@core3.amsl.com
Delivered-To: ietfarch-dnsext-archive@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 052B63A68E0; Tue, 12 Aug 2008 15:49:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.458
X-Spam-Level:
X-Spam-Status: No, score=-2.458 tagged_above=-999 required=5 tests=[AWL=0.141, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6kLMOTlSrhKj; Tue, 12 Aug 2008 15:49:15 -0700 (PDT)
Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id EB92C3A68A4; Tue, 12 Aug 2008 15:49:14 -0700 (PDT)
Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from <owner-namedroppers@ops.ietf.org>) id 1KT2aH-0004qQ-BG for namedroppers-data@psg.com; Tue, 12 Aug 2008 22:43:21 +0000
Received: from [2001:470:1f00:820:214:22ff:fed9:fbdc] (helo=drugs.dv.isc.org) by psg.com with esmtps (TLSv1:AES256-SHA:256) (Exim 4.69 (FreeBSD)) (envelope-from <marka@isc.org>) id 1KT2aC-0004pl-ES for namedroppers@ops.ietf.org; Tue, 12 Aug 2008 22:43:18 +0000
Received: from drugs.dv.isc.org (localhost [127.0.0.1]) by drugs.dv.isc.org (8.14.2/8.14.2) with ESMTP id m7CMh9tB072871; Wed, 13 Aug 2008 08:43:10 +1000 (EST) (envelope-from marka@drugs.dv.isc.org)
Message-Id: <200808122243.m7CMh9tB072871@drugs.dv.isc.org>
To: Edward Lewis <Ed.Lewis@neustar.biz>
Cc: namedroppers@ops.ietf.org
From: Mark Andrews <Mark_Andrews@isc.org>
Subject: Re: How do we get the whole world to upgrade to DNSSEC capable resolvers?
In-reply-to: Your message of "Tue, 12 Aug 2008 09:40:07 MST." <a06240800c4c76ac5cf38@[0.0.0.0]>
Date: Wed, 13 Aug 2008 08:43:09 +1000
Sender: owner-namedroppers@ops.ietf.org
Precedence: bulk
List-ID: <namedroppers.ops.ietf.org>

> At 11:18 +1000 8/11/08, Mark Andrews wrote:
> 
> >	DNS security is required for SMTP security to work.
> 
> That is why the SIKED (Secure Internet KEy Distribution) BoF failed, 53rd IET
> F.
> 
> If SMTP security works because DNS security works, then a DNS 
> security failure means SMTP security fails too.  A house of cards. 
> This is what is feared.

Lots of things really depend on DNS working as intended.  I'm just
sick and tired of all those who think that hop by hop security is
enough for the DNS.  It isn't and it never has been.

It is time to put the little bit of effort into creating DNSKEY's
and signing your zones.  It really isn't a big operational effort
that everyone keeps saying it is without actually attempting to
do it.

> (see also http://www.potaroo.net/ietf/idref/draft-lewis-siked-dnsargs/)
> 
> Thanks to Geoff Huston for maintaining that repository.  Although I'd 
> call it "Pandora's Box" because of all of the bad ideas documented in 
> there that never mad it to RFC. ;)
> -- 
> -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
> Edward Lewis                                                +1-571-434-5468
> NeuStar
> 
> Never confuse activity with progress.  Activity pays more.
> 
> --
> to unsubscribe send a message to namedroppers-request@ops.ietf.org with
> the word 'unsubscribe' in a single line as the message text body.
> archive: <http://ops.ietf.org/lists/namedroppers/>
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: Mark_Andrews@isc.org

--
to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/namedroppers/>

v2.23.0 | Report a Bug | By Email