DNSSEC

[Anand Buddhdev]

On 10/05/2012 17:20, Daniel Ryšlink wrote:

> What's the point of DNSSec when resolver administrators configure
> exceptions on regular basis? If you can't be sure when your resolver
> does or does not validate, why having signed zones in the first place?
> It's just seems to be another "shared illusion of security" similar to PKI.

Daniel,

For many companies the bottom line is revenue. If a large ISP's
customers can't resolve some popular domains, and start calling to
complain, it would flood their helpdesks, and they would lose revenue.
They cannot afford to be idealists.

Comcast has taken a pragmatic view. I'm glad to see they've turned on
validation, but I can see why they need to configure exceptions. Without
being able to manage exceptions, large ISPs are not going to turn on
validation.

Regards,

Anand