MoinQ:

1. DNS/DNSSEC/good-bad

DNSSEC protects against

第二の点、セカンダリサーバが信用できない時に改善できる可能性はありそう。


DNSSEC: How compelling?

2. 他の理由

脅迫的な理由は省略(客が求めるから、など)

 great excuse to clean up your DNS!

こうくるか。 順序が逆じゃないか。

  DNS設定がきちんとしていないとDNSSECは使えません。

DNSSECに対応するだけでなく、DNSをきちんと設定できない業者は生き残れないというのは正しそう。

3. slide page 24

On the delegation issue

And not in com!

So if your zone is not signed, but .com is, you don't benefit at all

4. slide 25

If your zone IS signed, verification only really happens at the very end

5. slide 26

DNSSEC technique: denial of service

This means that DNSSEC does nothing to protect the interim resolution steps

6. slide 31

Current DNSSEC deployments are secure up to the ISPs resolver

7. slide 32

End-to-End DNSSEC

Better solutions mean that the ISP resolver ships all the signing proof to the stub resolver in the client PC (nice)

8. xxx

Downgrade attacks area big worry, it is very tricky to encode if a domain has DNSSEC enabled

Unsure how to deal with 'degrading' a broken protocol

9. Summary

そこにある。使える。でも、不良も多い。問題も多い。 ...