This is a discussion on RE: Pimping DNSSEC (was Re: DNSSEC - Signature Only vs the MX/A issue.) - DNS ; > [mailto firstname.lastname@example.org] On Behalf Of Shane Kerr > Isn't this always the case with security though? What is the=20 > direct, immediate RoI for putting a lock on your door? Rarely from securing an existing infrastructure. Don't expect the ...
> [email@example.com] On Behalf Of Shane Kerr
> Isn't this always the case with security though? What is the=20
> direct, immediate RoI for putting a lock on your door?
Rarely from securing an existing infrastructure.
Don't expect the existing uses of DNS to drive deployment of the DNSSEC =
infrastructure. It can only serve those needs after the infrastructure =
is almost complete.
Deployment of DNSSEC will be driven by the deployment of domain centric =
security infrastructure such as DKIM and policy based network =
administrating to address the emerging challenge of deperimeterization.
There is a solid business case there but don't expect early adopters to =
be the ones who are already satisfied.=20
> I think the reason things like DNS and routing security don't=20
> get much traction is because there is much lower hanging=20
> fruit for attackers. If the end points of the Internet=20
> weren't so insecure, then things would be different.
The business case for routing security will be driven by regulation.
> If DNSSEC stabilizes after NSEC3, then DNSSEC could slowly=20
> become part of the BCP for network operators. The blocking=20
> factor here is the TLD (and the root), which has little or=20
> nothing to do with RoI.
Stability is not a necessary condition for deployment. Meeting the =
criterial considered essential by the key infrastructure providers is.
to unsubscribe send a message to firstname.lastname@example.org with
the word 'unsubscribe' in a single line as the message text body.