This is a discussion on Re: Pimping DNSSEC (was Re: DNSSEC - Signature Only vs the MX/A issue.) - DNS ; Alex Bligh wrote: > > > --On Monday, December 04, 2006 20:56:25 -0800 "Hallam-Baker, Phillip" > wrote: > >> Rarely from securing an existing infrastructure. >> >> Don't expect the existing uses of DNS to drive deployment of the DNSSEC ...
Alex Bligh wrote:
> --On Monday, December 04, 2006 20:56:25 -0800 "Hallam-Baker, Phillip"
>> Rarely from securing an existing infrastructure.
>> Don't expect the existing uses of DNS to drive deployment of the DNSSEC
>> infrastructure. It can only serve those needs after the infrastructure is
>> almost complete.
> I'm not sure whether this is the same point Phil is making, but inc ase
> not, it seems to me the RoI argument is like expecting positive RoI on the
> deployment of the first telephone. From a resolver's point of view,
> deployment is not going to be particularly useful until there are a number
> of authorative servers with secure data to look up; and from an authorative
> server's point of view, deployment isn't particularly useful until there
> are a number of secure resolvers who know what to do with the data. Whilst
> the above is true, I am also hoping it's so blindlingly obvious (being
> equally true for most other end-to-end protocols) that people realized it
> 15 years ago (*).
> As far as "no demand for DNSSEC" is concerned, I think it is fair to say I
> have not yet driven through parliament square in London only to be slowed
> by hordes of protesters carrying banners saying "what to do want? DNSSEC.
> when do we want it? Now. Well, as soon as a reasonable deployment plan can
> be worked out". However, I do recall going to a meeting a couple of months
> ago attended by (amongst others) by one parliamentarian, and a
> representative from the UK Department of Trade and Industry, and being
> slightly surprised they where perfectly aware of the possibility of various
> DNS-related attacks (no doubt discovered through background reasearch for
> other Phishing attacks) and that DNSSEC solved most of them. I suspect that
> signifies demand. And I suspect major registries aren't spending time
> contributing to drafts simply to keep their staff busy...
I suspect that we will see demand for DNSSEC the first time that a bank
sees a poisoning attack and their customers get redirected to a fake
site and their accounts drained as a result. Phishing attacks can be
alleviated since you can tell technologically that the site is not what
it claims. Their customers will demand it, the bank will be afraid not
to do it, the insurance companies make it a condition of coverage of
losses, etc. Then of course the military have a need for it. Of course
that still leaves the issue of validating resolvers being not being
widely deployed (okay, so only a handful of people have deployed them).
That means that Microsoft needs to implement and deploy them as fast as
possible, since they will have, by far, the biggest affect on making
this happen. They are not the only ones of course but it will have the
biggest impact. So where does Microsoft stand in all of this?
to unsubscribe send a message to firstname.lastname@example.org with
the word 'unsubscribe' in a single line as the message text body.