[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: wildcards, dnssec, and opt-in

To: David Conrad <david.conrad@nominum.com>
Subject: Re: wildcards, dnssec, and opt-in
From: Roy Arends <roy@logmess.com>
Date: Thu, 19 Sep 2002 18:21:46 +0200 (CEST)
Cc: Jakob Schlyter <jakob@crt.se>, "Hallam-Baker, Phillip" <pbaker@verisign.com>, Brian Wellington <Brian.Wellington@nominum.com>, Jaap Akkerhuis <jaap@sidn.nl>, "'Edward Lewis'" <edlewis@arin.net>, namedroppers <namedroppers@ops.ietf.org>
In-reply-to: <B9ADFA21.12740%david.conrad@nominum.com>

On Wed, 18 Sep 2002, David Conrad wrote:

> Roy,
>
> On 9/18/02 8:39 AM, "Roy Arends" <roy@logmess.com> wrote:
> > On Wed, 18 Sep 2002, Jakob Schlyter wrote:
> >> On Wed, 18 Sep 2002, Roy Arends wrote:
> >>>> people will deploy dnssec either to increase the security of the dns or to
> >>>> make money. I would guess verisign falls into the second category.
> >>> Nonsense.
> >>>
> >>> People will deploy dnssec to increase the security of the DNS and (or) not
> >>> to loose money (because of lack of security). These are effectively the
> >>> same.
> >>
> >> yes, that may be true for end-zone administrators - I was talking about
> >> the registry.
> >
> > fud, stop it :-)
>
> This is not FUD.
>
> Whether any registry deploys DNSSEC is a business decision of that registry.
> The registry, by and large, is not affected by the integrity issues DNSSEC
> protects against.  If the registry's customers really want (that is, be
> willing to pay for) DNSSEC, it will get deployed, regardless of the
> implications that deployment might have on the registry's infrastructure.

You just proved my point. Not deploying DNSSEC means loosing money. No
commercial entity will be healthy just living by the promise of loosing
money. But that might not be the only motivation.

> Unfortunately, to date, there has not been significant demand for DNSSEC
> from customers.  As such, any registry that considers deploying it must be
> willing to assume some risk, believing that in the future customers will
> want DNSSEC.  What I take Phill's comments to mean is that Verisign is not
> willing to take the risk.

Take Phill's comment for what they are, I was merely responding to the 2
extreme motivations to "deploy dnssec" that were presented by Jakob, as
if no other motivations where possible. That, and the fact that his
conclusions where based without motivation, and on a technical list like
this, lead me to conclude it was FUD. It still is.

roy


--
to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/namedroppers/>

References:
- Re: wildcards, dnssec, and opt-in
  - From: David Conrad <david.conrad@nominum.com>

Prev by Date: RE: opt-in and large zones
Next by Date: Re: DNSSEXT Yokohama Minutes
Previous by thread: Re: wildcards, dnssec, and opt-in
Next by thread: Re: wildcards, dnssec, and opt-in
Index(es):
- Date
- Thread