> christian, your words echo some i heard recently from stuart cheshire:

Well, Stuart and I often disagree, so you might consider that us
agreeing somehow shows something...=20
=20
> so, here's what i told stuart cheshire: if you believe that the web is
> all there is to the internet, or you believe that the approach taken

for
> securing https/imaps/smtps is appropriate for all future

applications/protocols
> used on the internet, then it's natural that you would think

ssl/tls/x509 is
> all we need. i do not think that the ssl/tls/x509 model is

futureproof,
> and so i think that we need something else, something more

internet-like.

I am not so much looking at SSL than at end-to-end security. Name
resolution is one step in the end-to-end process of completing the
transaction. If you are really concerned about the security of the
application, you want to secure the entire process, not just one step.
You may use SSL, secure RTP, IPSEC, or maybe some application specific
solution. The point is, you will use something.

Now, consider the "market for DNS security". Logically, the early
adopters ought to be the most security conscious users. Yet, those
security conscious users are also most likely to deploy end-to-end
security for their application. They are thus not likely to invest in
yet another deployment, and to bear the management cost of yet another
system. They will only do this investment if securing the DNS brings
clear additional benefits, on top of what they already have.

What would be the characteristic of a DNS security system that
complements, rather than replace, end-to-end security? For me, the
obvious answer would be to ensure availability of the DNS service. The
secure DNS should guarantee that, if the relevant name servers are
available and reachable, the name resolution transaction will complete.=20

The best "secure DNS" would be one that provides that guarantee at the
least possible deployment cost.=20

-- Christian Huitema

--
to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: