[144506] in North American Network Operators' Group
Re: Why are we still using the CA model? (Re: Microsoft deems all
daemon@ATHENA.MIT.EDU (Tony Finch)
Mon Sep 12 17:38:47 2011
Date: Mon, 12 Sep 2011 22:37:18 +0100
From: Tony Finch <dot@dotat.at>
To: Mike Jones <mike@mikejones.in>
In-Reply-To: <CAAAas8Fua4EbjwKs_wkrcyr1Y6TqXQYNOAC5VGANKmh3hNSfUA@mail.gmail.com>
Cc: NANOG mailing list <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
Mike Jones <mike@mikejones.in> wrote:
>
> DNSSEC deployment is advanced enough now to do that automatically at the
> client.
Sadly not quite. DNSSEC does have the potential to provide an alternative
public key infrastructure, and I'm keen to see that happen. But although
it works well between authoritative servers and recursive resolvers, there
are a lot of shitty DNS forwardersin CPE and captive portals and so on
which do not understand DNSSEC. And DNSSEC does not work unless all the
forwarders and recursors that you are using support it. So DNSSEC on the
client has a long way to go.
Tony.
--
f.anthony.n.finch <dot@dotat.at> http://dotat.at/
Hebrides, Southeast Bailey: Westerly 5 to 7 until later in south Hebrides,
otherwise northwesterly 3 or 4, increasing 5 to 7. Rough or very rough,
occasionally high in south Hebrides. Rain or showers. Good, occasionally
poor.
