[OpenAFS] with or without krb5 and openldap?
Russ Allbery
rra@stanford.edu
Fri, 01 Aug 2003 15:54:12 -0700
Derek Atkins <warlord@MIT.EDU> writes:
> It's certainly deployable in an enterprise. The problem is that it's
> not deployable on a grand scale. I can EASILY secure my own zone in a
> way that *I* can use the security (e.g. I could secure my Hesiod zone(s)
> and verify the security in my Hesiod clients). The issue with DNSSec is
> that it's difficult for *you* to verify my secured zone in a reasonable
> manner.
Except that, as I understand it, the DNSSEC protocol has been determined
to be broken as designed and will likely be thrown out and redesigned, so
you'd be sticking yourself in a dead-end hole with no future support.
That's what I mean by not ready for production deployment.
To quote Paul Vixie as of November of last year:
We are still doing basic research on what kind of data model will work
for dns security. After three or four times of saying "NOW we've got
it, THIS TIME for sure" there's finally some humility in the
picture... "wonder if THIS'll work?" ...
It's impossible to know how many more flag days we'll have before it's
safe to burn ROMs that marshall and unmarshall the DNSSEC related
RR's, or follow chains trying to validate signatures. It sure isn't
plain old SIG+KEY, and it sure isn't DS as currently specified. When
will it be? We don't know. What has to happen before we will know? We
don't know that either. ...
2535 is already dead and buried. There is no installed base. We're
starting from scratch.
I don't believe the situation has changed substantially since then,
although if it has, or if I'm misunderstanding the above information, that
would be interesting information I'd love to have.
--
Russ Allbery (rra@stanford.edu) <http://www.eyrie.org/~eagle/>