Re: hat tip to .gov hostmasters

• From: bmanning
• Date: Mon Sep 22 12:24:10 2008

• List-archive: <http://mailman.nanog.org/pipermail/nanog>
• List-help: <mailto:[email protected]?subject=help>
• List-id: North American Network Operators Group <nanog.nanog.org>
• List-post: <mailto:[email protected]>
• List-subscribe: <http://mailman.nanog.org/mailman/listinfo/nanog>, <mailto:[email protected]?subject=subscribe>
• List-unsubscribe: <http://mailman.nanog.org/mailman/listinfo/nanog>, <mailto:[email protected]?subject=unsubscribe>

> 
> The end-stage is secure only if at that stage you also set all DNS infrastructure to refuse to talk to any DNS client/server/resolver that DOES NOT validate and enforce DNSSEC.  Up until that point in time, there is NO CHANGE in the security posture from what we have today with no DNSSEC whatsoever.
> 
> To hold forth otherwise is to participate in deliberate fraud and misrepresentation of material facts.
> 
> 

	so you are a "fail/closed" proponent.
	a fail/open approach would have failure of DNSSEC-based validation behave
	just like the DNS of today.  The use of Trust Anchors and signed "islands"
	allow one to find "golden threads" of validated chains in the dns fabric ...
	e.g. incremental rollout vs flag day.

--bill

• References:
  • Re: hat tip to .gov hostmasters Florian Weimer
  • RE: hat tip to .gov hostmasters Keith Medcalf

• Prev by Date: Re: hat tip to .gov hostmasters
• Next by Date: Re: hat tip to .gov hostmasters
• Date Index
• Thread Index
• Author Index
• Historical