I think the root and the TLD is just one blocking factor. Then, there's the
DNSSEC-aware recursive servers, the DNSSEC-aware host resolvers, signing all
those organization zones, and the fundamental "what's my ROI" question.

I have this vision of a jigsaw puzzle with about 6 or 8 pieces, that we have
to drop from a couple of feet off the ground and have all the pieces land in
place, interlocked, all at once to make DNSSEC fly...

The immediate RoI isn't directly like locking your door, because you don't
have the risk of anything being stolen *directly* from you if you don't
apply DNSSEC to your zones. It's more indirect - somebody else trying to
access your website won't be robbed through a phishing attack if you put a
lock on your door.

- Ralph


On 12/4/06 5:45 AM, "Shane Kerr" wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> [ Apologies for a mostly non-technical mail that says what everybody already
> knows. ]
>
> Ralph Droms wrote:
>> What is the direct, immediate RoI for the resources I have to commit to
>> providing DNSSEC resolution for names in my zone? My external contacts
>> ("customers") may benefit from mitigation of attacks, but that's an indirect
>> benefit.

>
> Isn't this always the case with security though? What is the direct, immediate
> RoI for putting a lock on your door?
>
> I think the reason things like DNS and routing security don't get much
> traction
> is because there is much lower hanging fruit for attackers. If the end points
> of
> the Internet weren't so insecure, then things would be different.
>
> If DNSSEC stabilizes after NSEC3, then DNSSEC could slowly become part of the
> BCP for network operators. The blocking factor here is the TLD (and the root),
> which has little or nothing to do with RoI.
>
> - --
> Shane
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.5 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
>
> iD8DBQFFc/wuMsfZxBO4kbQRAknGAKCno1hfO/JrNoyhsk+9rkEx94BMRwCginCo
> VWL6Q40W+fGBrmwth3D67ds=
> =Gzje
> -----END PGP SIGNATURE-----


--
to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: