[OpenAFS] with or without krb5 and openldap?
Derek Atkins
warlord@MIT.EDU
01 Aug 2003 22:10:43 -0400
Russ Allbery <rra@stanford.edu> writes:
> Except that, as I understand it, the DNSSEC protocol has been determined
> to be broken as designed and will likely be thrown out and redesigned, so
> you'd be sticking yourself in a dead-end hole with no future support.
The 'broken' parts were all operational, not cryptographic. It's not
being completely thrown out nor completely redesigned. The current
direction of DNSEXT is to rev the RRTypes of SIG and KEY to protect
2535bis(+DS) systems from 2535-compliant deployment (because the
operational problems solved by 2535bis+DS are broken by pure 2535
systems).
Does this you you cannot deploy today? No. Indeed, 2535 deployments
have existed for a while...
> That's what I mean by not ready for production deployment.
Then you don't really understand the issues.
> To quote Paul Vixie as of November of last year:
[snip]
> I don't believe the situation has changed substantially since then,
> although if it has, or if I'm misunderstanding the above information, that
> would be interesting information I'd love to have.
A lot has changed in the last 9 months.
-derek, who was on the DNS Directorate until 6 months ago.
--
Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory
Member, MIT Student Information Processing Board (SIPB)
URL: http://web.mit.edu/warlord/ PP-ASEL-IA N1NWH
warlord@MIT.EDU PGP key available