[78999] in North American Network Operators' Group
Re: DNS cache poisoning attacks -- are they real?
daemon@ATHENA.MIT.EDU (Edward Lewis)
Mon Mar 28 09:33:10 2005
In-Reply-To: <Pine.GSO.4.58.0503261947490.25244@clifden.donelan.com>
Date: Mon, 28 Mar 2005 09:31:06 -0500
To: Sean Donelan <sean@donelan.com>
From: Edward Lewis <Ed.Lewis@neustar.biz>
Cc: Joe Abley <jabley@isc.org>, nanog@merit.edu
Errors-To: owner-nanog@merit.edu
At 20:15 -0500 3/26/05, Sean Donelan wrote:
>effort. Why has SSH been so successful, and DNSSEC stumbled so badly?
Short answer to that question alone. (Believe me, I've considered it too.)
SSH is an example of innovation that requires only the end points to
cooperate - e.g., like TCP doing congestion control at the edges. In
particular, the key exchange in SSH is simplistic...
DNSSEC is a change to the operations at the mythical core of the
Internet. DNSSEC won't work until third parties are involved, i.e.,
the parents (et.al.) of the server are involved, not just the server
and client. In particular, the key exchange in DNSSEC has been the
sore spot.
Mythical core: in this case, the administration of the root zone, the
TLDs, etc., not the routing/transit/peering core.
--
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Edward Lewis +1-571-434-5468
NeuStar
Achieving total enlightenment has taught me that ignorance is bliss.
