Re: DNSSEC - Signature Only vs the MX/A issue.
On Sun, Dec 10, 2006 at 09:12:31PM +0000, Paul Vixie wrote:
> so, here's what i told stuart cheshire: if you believe that the web is all
> there is to the internet, or you believe that the approach taken for securing
> https/imaps/smtps is appropriate for all future applications/protocols used
> on the internet, then it's natural that you would think ssl/tls/x509 is all
> we need. i do not think that the ssl/tls/x509 model is futureproof, and so
> i think that we need something else, something more internet-like.[/color]
I very much agree with this sentiment. But DNSSEC is not the answer as is
only sends out authenticated small and static messages.
It doesn't to whole transactions.
One cannot rely on DNSSEC for the whole shebang. In theory it could be the
conduit of a web of trust, perhaps that is what you mean?
Which makes the vast amount of effort and brain cycles on it all the more
puzzling. In the vein of your statement regarding the 'king makers' in the
browser that annoint X.509 certificate vendors, perhaps there is something
along those lines happening within DNS?
I honestly don't know (it wouldn't seem likely), but it is unclear to me why
people continue to expend so much time on such a small part of a secure
[url]http://www.PowerDNS.com[/url] Open source, database driven DNS Software
[url]http://netherlabs.nl[/url] Open and Closed source services
to unsubscribe send a message to [email]email@example.com[/email] with
the word 'unsubscribe' in a single line as the message text body.