hat tip to .gov hostmasters

bmanning at vacation.karoshi.com bmanning at vacation.karoshi.com
Mon Sep 22 11:22:11 CDT 2008


> 
> The end-stage is secure only if at that stage you also set all DNS infrastructure to refuse to talk to any DNS client/server/resolver that DOES NOT validate and enforce DNSSEC.  Up until that point in time, there is NO CHANGE in the security posture from what we have today with no DNSSEC whatsoever.
> 
> To hold forth otherwise is to participate in deliberate fraud and misrepresentation of material facts.
> 
> 

	so you are a "fail/closed" proponent.
	a fail/open approach would have failure of DNSSEC-based validation behave
	just like the DNS of today.  The use of Trust Anchors and signed "islands"
	allow one to find "golden threads" of validated chains in the dns fabric ...
	e.g. incremental rollout vs flag day.

--bill




More information about the NANOG mailing list