[At-Large] (No so) Serious Allegations

[McTim]

Danny,

On Wed, Nov 26, 2008 at 10:44 PM, Danny Younger <dannyyounger at yahoo.com> wrote:
> Patrick,
>
> There are issues raised by the author of this comment that can only reasonably be assessed by other competent engineers (and I am not an engineer), so I am not looking for an assessment as to whether this engineer is a troll or not, but to know if his comments are reasonable when evaluated as engineering concerns by other engineers.
>
> The comments made under the heading "DNSSEC Suicide" could be viewed by most laymen as more than somewhat disconcerting.  Is there merit in his argument, or not?

Here are his objections:
1. DNSSEC does not secure DNS services to any reasonable expectation
of security,


DNSSEC is not a panacea, it only does a specific thing, and only does
that thing if all configs are done correctly.
It's a specific reaction to a specific set of threats.

2. Deployment of DNSSEC on Root servers enables new DNS Amplification
Attacks which cannot be easily mitigated

but they can be mitigated, it's a showstopper for him, but seemingly
not for the IETF et.al.

3. Trust and confidence in DNSSEC is misplaced because critics have
been silenced
and many problems have not been addressed.

the problems in designing the spec have been many and varied,
addressing them has been
the main reason it's taken ~10 years for DNSSEC to evolve into it's
present form.

Is it possible to miscofigure DNSSEC so that your effectively
offline..yes, that the design.
That doesn't mean it can't or shouldn't be deployed, it just means
that care needs to be taken when implementing it

DNSSEC is going to be hard to deploy globally...on a similar scale to IPv6.
It's not a point and click kind of thing like an Antivirus program.

If he has a better plan to provide a layer of security to DNS queries
and replies, i haven't heard it.

-- 
Cheers,

McTim
http://stateoftheinternetin.ug