[NA-Discuss] Stability, Security, and Resilience of the DNS Review Team

John R. Levine johnl at iecc.com
Thu Apr 7 22:42:49 UTC 2011

> Just to be clear... you're saying the benefits of universal DNSSEC outweigh
> the costs, even for smaller (and less financially capable) TLDs. (And there
> will certainly be costs to implement, even if the software itself is
> free...)

If you'd asked me a year or two ago, I would have said no, but now I think 
it does.  It requires some expertise, but at this point, anyone who can't 
figure out DNSSEC has no business running a TLD.  "Less financially 
capable" doesn't mean less smart, just perhaps less trained which is 
straightforward to fix.

Also, some of the DNS attacks which seemed hypothetical have now turned 
out to be more practical than we thought, and there are some useful things 
you can do with domain names with DNSSEC -- a name with a DNSSEC chain 
back to the root is as secure as an SSL certificate, at typically much 
lower cost.  That might well turn out to be attractive for people with 
less money.

And finally, if you think that everyone will eventually need DNSSEC, which 
I do, it is vastly easier to design it into your systems from the 
beginning than to try to retrofit it to something that's already running. 
So new registries should just do it.  It's not that hard, and the 
potential benefits are significant.

John Levine, johnl at iecc.com, Primary Perpetrator of "The Internet for Dummies",
Please consider the environment before reading this e-mail. http://jl.ly

More information about the NA-Discuss mailing list