rpki vs. secure dns?
paul vixie
vixie at isc.org
Tue May 29 11:02:38 UTC 2012
On 5/29/2012 10:27 AM, Stephane Bortzmeyer wrote:
> On Mon, May 28, 2012 at 10:01:59PM +0000,
> paul vixie <vixie at isc.org> wrote
> a message of 37 lines which said:
>
>> i can tell more than that. rover is a system that only works at all
>> when everything everywhere is working well, and when changes always
>> come in perfect time-order,
> Exactly like DNSSEC.
no. dnssec for a response only needs that response's delegation and
signing path to work, not "everything everywhere".
> So, DNSSEC is doomed :-)
i hope not. if we had to start over on something that can protect the
cache against trivial pollution and also enable new applications like
DANE, we'd be ten years from first prototype instead of ten years from
ubiquity.
paul
More information about the NANOG
mailing list