To:
"Loomis, Rip" <GILBERT.R.LOOMIS@saic.com>
CC:
"'dnsop@cafax.se'" <dnsop@cafax.se>
From:
Masataka Ohta <mohta@necom830.hpcl.titech.ac.jp>
Date:
Tue, 15 Oct 2002 13:29:35 +0859 ()
In-Reply-To:
<3C1E3607B37295439F7C409EFBA08E6803B957BC@US-Columbia-CIST.mail.saic.com>from "Loomis, Rip" at "Oct 10, 2002 10:30:32 pm"
Sender:
owner-dnsop@cafax.se
Subject:
Re: Interim signing of the root zone.
Rip > > > as dnssec is finally approaching deployment, it seems > > > imprudent to rush into a not obviously critical anycast > > > deployment when a little patience would seem harmless. > > > DNSSEC, or any CA-based security, is not really secure and is > > undeployable for any practical security. > > With all due respect, you've made such claims/statements on > the list before, And the only counter argument was: My teacher taught me differently, I think. > Please feel free to back up that opinion > with fact, or don't waste peoples' time with it. If security is compromized, who pays how much? Have you ever checked the reality of terms and conditions of CAs? > Better yet, > if you think things are slightly broken then propose a fix. > If you think things are *very* broken then propose a workable > alternative and explain why things are so broken. The current DNS is working well with weak security replying on ISPs. Those who need additional security should share a secret end to end without introducing intellignet intermediate entities of CAs. So, I don't think I have to propose a workable alternative. Nonetheless, I proposed anycast root, which improves security against spoofed route. On the other hand, DNSSEC is unworkable as evidenced by the failed deployment attempt for so many years. Observing the failure, I gave an explanation why it is hopeless. Masataka Ohta #---------------------------------------------------------------------- # To unsubscripbe, send a message to <dnsop-request@cafax.se>.