To:
"'Masataka Ohta'" <mohta@necom830.hpcl.titech.ac.jp>, "'Loomis, Rip'" <GILBERT.R.LOOMIS@saic.com>
Cc:
<dnsop@cafax.se>
From:
"John M. Brown" <john@chagres.net>
Date:
Mon, 14 Oct 2002 23:57:00 -0600
Importance:
Normal
In-Reply-To:
<200210150429.NAA03428@necom830.hpcl.titech.ac.jp>
Reply-To:
<john@chagres.net>
Sender:
owner-dnsop@cafax.se
Subject:
RE: Interim signing of the root zone.
anycast root opens the root system up to more capture, even if its localized capture, its still capture. Who decides on who can "anycast" the zone and how do we know its the right zone ? signing the root, by whatever means is decided upon, helps assure that the data is in fact "the original stuff". If the country of Futuro (make believe) decides to run its own "root" via an anycast system, and they change the NS RR set for .JP, how are users going to know that? maybe I'm just naive..... john brown > -----Original Message----- > From: owner-dnsop@cafax.se [mailto:owner-dnsop@cafax.se] On > Behalf Of Masataka Ohta > Sent: Monday, October 14, 2002 10:31 PM > To: Loomis, Rip > Cc: 'dnsop@cafax.se' > Subject: Re: Interim signing of the root zone. > > > Rip > > > > > as dnssec is finally approaching deployment, it seems > imprudent to > > > > rush into a not obviously critical anycast deployment when a > > > > little patience would seem harmless. > > > > > DNSSEC, or any CA-based security, is not really secure and is > > > undeployable for any practical security. > > > > With all due respect, you've made such claims/statements on > the list > > before, > > And the only counter argument was: > > My teacher taught me differently, I think. > > > Please feel free to back up that opinion > > with fact, or don't waste peoples' time with it. > > If security is compromized, who pays how much? > > Have you ever checked the reality of terms and conditions of CAs? > > > Better yet, > > if you think things are slightly broken then propose a fix. If you > > think things are *very* broken then propose a workable > alternative and > > explain why things are so broken. > > The current DNS is working well with weak security replying on ISPs. > > Those who need additional security should share a secret end > to end without introducing intellignet intermediate entities of CAs. > > So, I don't think I have to propose a workable alternative. > > Nonetheless, I proposed anycast root, which improves security > against spoofed route. > > On the other hand, DNSSEC is unworkable as evidenced by the > failed deployment attempt for so many years. > > Observing the failure, I gave an explanation why it is hopeless. > > Masataka Ohta > #------------------------------------------------------------- > --------- > # To unsubscripbe, send a message to <dnsop-request@cafax.se>. > #---------------------------------------------------------------------- # To unsubscripbe, send a message to <dnsop-request@cafax.se>.