[108009] in North American Network Operators' Group
Re: hat tip to .gov hostmasters
daemon@ATHENA.MIT.EDU (bmanning@vacation.karoshi.com)
Mon Sep 22 12:24:14 2008
Date: Mon, 22 Sep 2008 16:22:11 +0000
From: bmanning@vacation.karoshi.com
To: Keith Medcalf <kmedcalf@dessus.com>
In-Reply-To: <81434005e9f40a458bb39ab7d95910c1@mail.dessus.com>
Cc: "nanog@nanog.org" <nanog@nanog.org>
Errors-To: nanog-bounces@nanog.org
>
> The end-stage is secure only if at that stage you also set all DNS infrastructure to refuse to talk to any DNS client/server/resolver that DOES NOT validate and enforce DNSSEC. Up until that point in time, there is NO CHANGE in the security posture from what we have today with no DNSSEC whatsoever.
>
> To hold forth otherwise is to participate in deliberate fraud and misrepresentation of material facts.
>
>
so you are a "fail/closed" proponent.
a fail/open approach would have failure of DNSSEC-based validation behave
just like the DNS of today. The use of Trust Anchors and signed "islands"
allow one to find "golden threads" of validated chains in the dns fabric ...
e.g. incremental rollout vs flag day.
--bill
