[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

NSEC3 issue: DNSSEC is too complex by half already

To: geoff@nominet.org.uk
Subject: NSEC3 issue: DNSSEC is too complex by half already
From: bert hubert <bert.hubert@netherlabs.nl>
Date: Tue, 21 Feb 2006 21:14:59 +0100
Cc: namedroppers@ops.ietf.org
Delivery-date: Tue, 21 Feb 2006 20:17:22 +0000
Envelope-to: namedroppers-data@psg.com
User-agent: Mutt/1.5.9i

Geoff,

Partially in jest, but please consider adding this issue:

DNSSEC is too complex by half already
-------------------------------------

DNS is not a simple protocol. DNSSEC adds a degree of authentication and
integrity to DNS but at a vast cost: attempting to maintain the DNS packet
format and benefits of existing infrastructure has made the DNSSEC design a
triumph of cleverness and complexity.

NSEC3, introduced to add a modicum of privacy to zones, adds a further 42
pages of specifications.

NSEC3 might very well break the camel's back - insofar as it was intact up
to now.

-- 
http://www.PowerDNS.com      Open source, database driven DNS Software 
http://netherlabs.nl              Open and Closed source services

--
to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/namedroppers/>

Prev by Date: Re: NSEC3 Issue 9: Potential DoS on Resolvers
Next by Date: I-D ACTION:draft-ietf-dnsext-rollover-requirements-00.txt
Previous by thread: NSEC3 Issue 13: DDNS and Opt-In Determination
Next by thread: I-D ACTION:draft-ietf-dnsext-rollover-requirements-00.txt
Index(es):
- Date
- Thread