Re: Jessie release goal: DNSSEC as default recursive resolver
Op 03-11-13 19:05, Marko Randjelovic schreef:
> On Sun, 3 Nov 2013 12:32:40 +0100
> Bastian Blank <firstname.lastname@example.org> wrote:
>> On Sun, Nov 03, 2013 at 11:15:36AM +0100, Marko Randjelovic wrote:
>>> Just to say we should not expect to much from DNSSEC because DNSSEC is centralized:
>> Could you explain the problems you see a bit more verbose?
>> This is just an announcement and nothing about DNSSEC.
> It is explained in a PDF document that can be downloaded from that page.
Basically, that document says "the DNSSEC root key is in the US, and we
can't trust the NSA, so we can't trust DNSSEC".
While not entirely untrue, it's probably also not something we can fix.
At any rate, the proposed "solution" ("let's throw out DNS and replace
it with something that requires everyone to run their own server on
which they first need to change some configuration before they'll be
able to access _any_ website") seems a bit far-fetched to me.
What's more, while I'll be the first one to agree that DNSSEC is not
perfect, it sure is a hell of a lot better than regular DNS today; the
fact that there are flaws should not have to imply that we should ignore it.
This end should point toward the ground if you want to go to space.
If it starts pointing toward space you are having a bad problem and you
will not go to space today.