nanog mailing list archives
Re: hat tip to .gov hostmasters
From: bmanning () vacation karoshi com
Date: Mon, 22 Sep 2008 16:22:11 +0000
The end-stage is secure only if at that stage you also set all DNS infrastructure to refuse to talk to any DNS client/server/resolver that DOES NOT validate and enforce DNSSEC. Up until that point in time, there is NO CHANGE in the security posture from what we have today with no DNSSEC whatsoever. To hold forth otherwise is to participate in deliberate fraud and misrepresentation of material facts.
so you are a "fail/closed" proponent.
a fail/open approach would have failure of DNSSEC-based validation behave
just like the DNS of today. The use of Trust Anchors and signed "islands"
allow one to find "golden threads" of validated chains in the dns fabric ...
e.g. incremental rollout vs flag day.
--bill
Current thread:
- Re: hat tip to .gov hostmasters, (continued)
- Re: hat tip to .gov hostmasters bmanning (Sep 22)
- Re: hat tip to .gov hostmasters Edward Lewis (Sep 22)
- Re: hat tip to .gov hostmasters bmanning (Sep 22)
- Re: hat tip to .gov hostmasters Mark Andrews (Sep 22)
- RE: hat tip to .gov hostmasters Keith Medcalf (Sep 22)
- Re: hat tip to .gov hostmasters Florian Weimer (Sep 22)
- RE: hat tip to .gov hostmasters Keith Medcalf (Sep 22)
- Re: hat tip to .gov hostmasters Scott Francis (Sep 22)
- RE: hat tip to .gov hostmasters Keith Medcalf (Sep 22)
- Re: hat tip to .gov hostmasters bmanning (Sep 22)
- Re: hat tip to .gov hostmasters bmanning (Sep 22)
- Re: hat tip to .gov hostmasters bmanning (Sep 22)
- Re: hat tip to .gov hostmasters David Conrad (Sep 22)
- Re: hat tip to .gov hostmasters David Conrad (Sep 22)
- Re: hat tip to .gov hostmasters Chris Owen (Sep 22)
- Re: hat tip to .gov hostmasters Simon Vallet (Sep 22)
- Re: hat tip to .gov hostmasters Jason Frisvold (Sep 22)
- Re: hat tip to .gov hostmasters Michael Thomas (Sep 22)
- Re: hat tip to .gov hostmasters Scott Francis (Sep 22)