On Aug 15, 2008, at 8:10 AM, Paul Wouters wrote:
Whether
I get a fake CNN.com page is much less important to me then whether
my nfs
or mail server can be access by something
I'm not sure how relevant this is to the discussion, but I'll answer
the question anyway. I don't use NFS because (a) it doesn't work very
well in cross-platform environments and (b) its security model is "I
am the gooey center that your firewall must protect." And I pay
about $100/year to use SSL certs to protect all my IMAP, POP, SMTP and
HTTP transactions. And I use ssh for remote login, which if it is
working correctly and not vulnerable to some zero-day hack should
prevent MitM attacks from succceeding.
I don't see DNSSEC as being necessary to protect those protocols.
Once I succeed in talking to my server, I'm probably really talking to
my server. What I want DNSSEC for is to block the potential phishing
attacks we've talked about. Securing my zones, and adding a signed
zone in .se, are all steps on the way to that result.
But until we have root and .com signed, and until the average end-user
is protected by a validating resolver, we aren't done yet, and I don't
really get any actual benefit from my efforts. Which, tragically, is
why it's taking so long.
The reason I signed these zones is because I'm trying to increase the
net expertise in the world at doing these things by one head (mine)
and hoping to inspire others to follow suit. The more of us non-
DNSSEC-experts who decide they want DNSSEC and take the time to learn
how to make it happen, the sooner it will actually happen, because we
are the ones who will actually make it happen.
_______________________________________________
DNSOP mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dnsop
