[TriLUG] The sad state of sysadmin in the age of containers
Igor Partola via TriLUG
trilug at trilug.org
Thu Mar 19 09:40:40 EDT 2015
I have done a bit of research into DNSSEC. The conclusion that I came to is
that it's a bad thing and shouldn't be done. The reason is that it
basically centralizes all control of the Internet to a few governments.
In my mind, you solve that problem by checking for certificate revocation,
and by having the old registrar revoke the local CA cert when the domain
owner moves registrars or domain ownership changes. Browsers already do
this, though the protocol and the infrastructure could be much more robust.
For a decent explanation of why DNSSEC is bad check out
http://sockpuppet.org/blog/2015/01/15/against-dnssec/. I don't like parts
of this essay because they talk about why DNSSEC the implementation is bad
too much. However, the nugget of truth here is that DNSSEC the idea is bad.
The proposition is that DNS should remain unsecured, just like TCP/IP
should remain unsecured. The secured system can be built on top of it at a
higher level.
Igor
More information about the TriLUG
mailing list