Re: DNSSEC is almost worthless!

[Paul Vixie <paul@vix.com>]

# In addition, the end-to-end cryptographic assurance is perhaps justified
# mostly because there are too many nameservers operating with BIND version
# prior to 8.4 (these are vulnerable to the DNS cache poisoning attack).

no part of the justification of DNSSEC relates to poison-susceptible name
server implementations.  any cache can be poisoned, including modern BIND9
or DJBDNS with all known anti-poison features enabled.

# TAKREM for DNSSEC (draft-moreau-dnsext-sdda-rr-01.txt,
# draft-moreau-dnsext-takrem-dns-01.txt) is *both* rigorous *and*
# efficient. Efficiency would be beneficial to DNSSEC deployment if there was
# value in DNSSEC to justify its deployment in the first place. About TAKREM
# rigor, the above suggests that the intrinsic security properties of TAKREM
# might appear as *lowering* the value of DNSSEC for governments.

i believe that we'll be able to resolve trust anchor management without
subjecting ourselves to anyone's IPR claims.  the first step toward this
will be to ignore known-encumbered technology.  an eventual step will be
to try to avoid submarine IPR with field surveys.  the final step will be
to fight (in the market and/or in the courts) the IPR holders who will
claim overbroad coverage for their IPR.

--
to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/namedroppers/>