On 28 Sep 2004, at 20:42, David Farrar wrote:
I have yet to see a convincing argument that the threat of increased scamming due to open access to the zone imposes any additional threat at all.
It seems odd to take the position that known threats against the DNS that we can defend against (with DNSSEC) take a back seat to nebulous threats which have not been demonstrated to exist.
Actually it is the other way around.
Scammers have told us that they use zone files for their scams.
How many scammers have told you that if it wasn't for zone files being available, they would have no other way to launch their scams?
[hysteria trimmed]
I discussed the issue whether DNSSEC benefits outweighed the negatives of open zone files with the CEO of .uk. He made the very valid (IMO) point that the volume of complaints they have had about open zone files and whois leading to domain name scams is some thousand times greater than the number of complaints they have had (as in actual damage, not just a possibility) about something which DNSSEC would have fixed.
This sounds like a suprious argument to me. How many complaints would you expect to receive from people who believe everything they read on the Internet? If someone decides to impersonate a stores web page and does a good job at it, how many users would ever suspect that was how their credit card details got stolen?
My hope is that the specs for DNSSEC will either be modified to prevent zone files being accessible, or that an acceptable patch will be developed, so DNSSEC can be used on .nz.
I don't see any signs that that will happen. I think what is more likely is that DNSSEC will continue to be deployed in other zones, and zones under NZ will remain insecure.
Anyway thanks for elaborating on your reasons.
Any time. Joe