On Sat, 24 Feb 2007 16:18:43 +0100 Florian wrote: FW> Unfortunately, the real showstopper I see is that you cannot tell an FW> attack from an infrastructure change that happened to break DNSSEC. FW> But we need to provide some kind of fallback in case DNSSEC breaks FW> because we absolutely must ensure that we match plain DNS in terms of FW> availability. (And I don't think yet another security indicator FW> visible to the end user is the answer.) Well, you've got yourself painted into a corner here. I don't think you can have a fallback, or you haven't added any security. The only way to get an ISP to sit up and take notice will be the flood of support calls when they do something that breaks DNS, just as it it now. (Of course, this is also probably one of the reasons they are wary of deploying DNSSEC in the first place). FW> Running name resolution over 443/TCP to some central resolver FW> infrastructure suddenly seems much more attractive, doesn't it? Not particularly. Either way, you've got to get the ISPs to buy into a new way of thinking about DNS. Besides, I haven't seen any real detail on how this 443/tcp idea would work. I'm sure that if it got as much scrutiny as DNSSEC has had, it would turn out to not be as simple as it's proponents might think it is. -- Robert Story SPARTA