From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from smtp105.ord1c.emailsrvr.com (smtp105.ord1c.emailsrvr.com [108.166.43.105]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by huchra.bufferbloat.net (Postfix) with ESMTPS id 3B32521F3CA for ; Fri, 9 May 2014 18:31:03 -0700 (PDT) Received: from localhost (localhost.localdomain [127.0.0.1]) by smtp6.relay.ord1c.emailsrvr.com (SMTP Server) with ESMTP id 260E498870; Fri, 9 May 2014 21:31:02 -0400 (EDT) X-Virus-Scanned: OK Received: by smtp6.relay.ord1c.emailsrvr.com (Authenticated sender: dpreed-AT-reed.com) with ESMTPSA id D613798865; Fri, 9 May 2014 21:31:01 -0400 (EDT) User-Agent: K-@ Mail for Android X-Priority: 3 In-Reply-To: References: MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----B1388H2DFVWY7LU7ZTIOCX0QOO9LXJ" Content-Transfer-Encoding: 8bit From: "David P. Reed" Date: Fri, 09 May 2014 21:30:58 -0400 To: Maciej Soltysiak , "cerowrt-devel@lists.bufferbloat.net" Message-ID: Subject: Re: [Cerowrt-devel] "DNSSEC considered harmful" X-BeenThere: cerowrt-devel@lists.bufferbloat.net X-Mailman-Version: 2.1.13 Precedence: list List-Id: Development issues regarding the cerowrt test router project List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 10 May 2014 01:31:03 -0000 ------B1388H2DFVWY7LU7ZTIOCX0QOO9LXJ Content-Transfer-Encoding: 8bit Content-Type: text/plain; charset=UTF-8 Reading a lot of this stuff suggests at most that DNSSEC is being overhyped and poorly implemented. As a reason to abandon work on deploying DNSSEC so that it's easier to instantiate man in the middle attacks I find it unconvincing. Is there an alternative? On May 8, 2014, Maciej Soltysiak wrote: >Hi, > >I read a twitter conversation last night where somebody said DNSSEC is >harmful. I asked why and I got this littany of issues: >http://ianix.com/pub/dnssec-outages.html > >I was blown away not only by the sheer evidence of outages, but >especially >by the quotes in last sections: Miscellaneous and What a mess. > >I don't know, have a look, I just wanted to share as I wasn't aware of >things that didn't go well with DNSSEC. I'm not suggesting anything re >Cerowrt here. > >Best regards, >Maciej > > >------------------------------------------------------------------------ > >_______________________________________________ >Cerowrt-devel mailing list >Cerowrt-devel@lists.bufferbloat.net >https://lists.bufferbloat.net/listinfo/cerowrt-devel -- Sent from my Android device with K-@ Mail. Please excuse my brevity. ------B1388H2DFVWY7LU7ZTIOCX0QOO9LXJ Content-Type: text/html; charset=utf-8 Content-Transfer-Encoding: 8bit Reading a lot of this stuff suggests at most that DNSSEC is being overhyped and poorly implemented.

As a reason to abandon work on deploying DNSSEC so that it's easier to instantiate man in the middle attacks I find it unconvincing.

Is there an alternative?

On May 8, 2014, Maciej Soltysiak <maciej@soltysiak.com> wrote:

Hi,

I read a twitter conversation last night where somebody said DNSSEC is harmful. I asked why and I got this littany of issues: http://ianix.com/pub/dnssec-outages.html

I was blown away not only by the sheer evidence of outages, but especially by the quotes in last sections: Miscellaneous and What a mess.

I don't know, have a look, I just wanted to share as I wasn't aware of things that didn't go well with DNSSEC. I'm not suggesting anything re Cerowrt here.

Best regards,
Maciej

-- Sent from my Android device with K-@ Mail. Please excuse my brevity. ------B1388H2DFVWY7LU7ZTIOCX0QOO9LXJ--