[ Date Index ] [ Thread Index ] [ <= Previous by date / thread ] [ Next by date / thread => ]
On 18/05/13 04:42, bad apple wrote: > > +5: "Insightful" Blush. > Saved me a massive future rant. Also, in a moment of madness when I > typed that earlier email I hadn't even considered the situation with.. > *shudders* registrars. Oh well, I guess, like IPv6 this is just another > one of those things that we're just going to have to wait for mainstream > adoption to kick in before we can all enjoy it. By which point it will > of course probably be obsolete. Like IPv6 the developers were more concerned with solving the technical problems, and less with how to drive adoption. Given the technical problems are formidable I'm not blaming anyone for that, but clearly it needs to be a bigger part of standard formation if tweaking or replacing what exists. I'd say DNSSEC is a reality so don't wait, it just is painful for existing people in the domain business to add it retrospectively to their processes. If your security requirements make DNSSEC desirable, ask for it, or move the domain to someone who has done this process already (this will be compelling to management in those companies that don't have full support yet, if they see business leaving). I noted Google don't appear to be signing their DNS zones with DNSSEC, not even on the gmail side. They do use HTTPS (with HSTS) and TLS with email protocols on that side (and more broadly), so possibly they might argue the benefits are more marginal, but they must still he a high profile target. PayPal announced it had signed all its zones in Dec 2011, Ebay don't. I find that curious and telling ;) Amazon's Route53 doesn't support DNSSEC yet. Those domains that benefit most, have clout, and are probably only transferred on an as needed basis for this sort of thing. The run of the mill domains are vanity, or small business, and move every time they get a new web designer because small web designers often don't know much beyond "my current hosting works", and go "wibble" when faced with updating DNS records (which is fair enough I suppose, they face down CSS each day that is enough for most people's brains). Strangely the Server Name Indication (SNI), which adds virtual hosting to HTTPS is all but here, all we need now is to wait for IE8, and Android 2.x browser to die if Wikipedia is to be trusted. Whilst I think it will be good for IPv4 address saving, and good for certificate vendors, I'm not sure it will do anything for the integrity of Spafford's cardboard boxes. Microsoft and Google could presumably accelerate the process (if they aren't already) by updating those two browsers. -- The Mailing List for the Devon & Cornwall LUG http://mailman.dclug.org.uk/listinfo/list FAQ: http://www.dcglug.org.uk/listfaq