[OpenAFS] with or without krb5 and openldap?
Derek Atkins
warlord@MIT.EDU
01 Aug 2003 11:32:15 -0400
Russ Allbery <rra@stanford.edu> writes:
> DNSSEC doesn't actually exist in a deployable form for real-world
> applications even according to the people who designed it, but that's
> another argument.
It's certainly deployable in an enterprise. The problem is that it's
not deployable on a grand scale. I can EASILY secure my own zone in a
way that *I* can use the security (e.g. I could secure my Hesiod zone(s)
and verify the security in my Hesiod clients). The issue with DNSSec
is that it's difficult for *you* to verify my secured zone in a reasonable
manner.
IMHO those deficiencies are more targetted to normal DNS operations
rather than Hesiod-like operations. For example, I suspect that MIT
could sign its own Hesiod maps and distribute the verification key to the
vast majority of the clients on MITNet in order to secure its own
Hesiod.
> Russ Allbery (rra@stanford.edu) <http://www.eyrie.org/~eagle/>
-derek
--
Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory
Member, MIT Student Information Processing Board (SIPB)
URL: http://web.mit.edu/warlord/ PP-ASEL-IA N1NWH
warlord@MIT.EDU PGP key available