[NA-Discuss] Stability, Security, and Resilience of the DNS Review Team
John R. Levine
johnl at iecc.com
Thu Apr 7 22:42:49 UTC 2011
> Just to be clear... you're saying the benefits of universal DNSSEC outweigh
> the costs, even for smaller (and less financially capable) TLDs. (And there
> will certainly be costs to implement, even if the software itself is
> free...)
If you'd asked me a year or two ago, I would have said no, but now I think
it does. It requires some expertise, but at this point, anyone who can't
figure out DNSSEC has no business running a TLD. "Less financially
capable" doesn't mean less smart, just perhaps less trained which is
straightforward to fix.
Also, some of the DNS attacks which seemed hypothetical have now turned
out to be more practical than we thought, and there are some useful things
you can do with domain names with DNSSEC -- a name with a DNSSEC chain
back to the root is as secure as an SSL certificate, at typically much
lower cost. That might well turn out to be attractive for people with
less money.
And finally, if you think that everyone will eventually need DNSSEC, which
I do, it is vastly easier to design it into your systems from the
beginning than to try to retrofit it to something that's already running.
So new registries should just do it. It's not that hard, and the
potential benefits are significant.
Regards,
John Levine, johnl at iecc.com, Primary Perpetrator of "The Internet for Dummies",
Please consider the environment before reading this e-mail. http://jl.ly
More information about the NA-Discuss
mailing list