From mboxrd@z Thu Jan 1 00:00:00 1970 From: erik quanstrom Date: Sat, 23 Jan 2010 19:42:52 -0500 To: 9fans@9fans.net Message-ID: In-Reply-To: <4f34febc1001231559s3ffb6037o2a193bf4689b961@mail.gmail.com> References: <4B57048D.6040002@maht0x0r.net> <4f34febc1001231559s3ffb6037o2a193bf4689b961@mail.gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Content-Transfer-Encoding: 7bit Subject: Re: [9fans] Are we ready for DNSSEC ? Topicbox-Message-UUID: c58f4410-ead5-11e9-9d60-3106f5b1d025 > > By the end of May, all the root servers should be running DNSSEC > > > > http://royal.pingdom.com/2010/01/19/the-internet-is-about-to-get-a-lot-safer/ > > > > Is Plan9 ready for such a move? > > Reading what D. J. Bernstein has to say about DNSSEC is always fun. > See e.g. this paper http://cr.yp.to/talks/2009.08.10/slides.pdf about > abusing DNSSEC to launch denial of service attacks. He has also > proposed an alternative to DNSSEC, http://dnscurve.org/. this isn't a technical discussion. regardless of the merits, they're not implementing dnscurve on the root servers. they're implementing dnssec. so if you're interested in securing dns, say to prevent ssl mitm attacks, i only see three choices 1. hold your nose. do dnssec. 2. put your head in the sand. 3. convince the world to use dnscurve. - erik