Hacker News new | ask | show | jobs
by djcapelis 5817 days ago
The entire point of this story is that until this week your clients couldn't have used it even if they wanted to and that changed.

I'm not saying you have to go running off and caring about DNSSEC now, but the kneejerk "omg it's not deployed" argument really isn't helpful or insightful attached to a story about how it just finished getting deployed for real on the roots finally after years of waiting.
1 comments
andrewtj 5817 days ago
Your reading of my post as "omg it's not deployed" is an unwarranted exaggeration. I merely stated that for me, someone who maintains a from the wire-up DNS implementation, this baby-step doesn't change anything practical — which is something you've agreed with.

EDIT:

It goes without saying but I'll state it anyway, this cascade of down-votes is not the reaction I'd expect for making what I consider to be a pretty innocuous comment about something that potentially affects the priorities of my startup.

link
djcapelis 5817 days ago 

  It goes without saying but I'll state it anyway, this 
  cascade of down-votes is not the reaction I'd expect for 
  making what I consider to be a pretty innocuous comment 
  about something that potentially affects the priorities of 
  my startup
It's probably a reaction to your advocacy for ignorance at the expense of a story marking an important milestone in DNS's capabilities.

If you insist on not caring, do so quietly. Some people around here are trying to fix things, or break them, which hopefully will result in better systems. In any case, you appear to be doing neither.

(As a side note, your assertion that I agree that this doesn't change anything practical is false, as of yesterday people can resolve domains over DNSSEC, that wasn't true last week. I consider this a practical change. I'm not a big fan of DNSSEC as a protocol, but this is a big deal(tm).)

link
andrewtj 5817 days ago
as of yesterday people can resolve domains over DNSSEC

People can resolve the root over DNSSEC. This is a milestone, but it's one to be followed by many, many more before it affects clients.

link
djcapelis 5816 days ago
No, some TLDs have already signed their zones. Some people are able to use DNSSEC today.

isc.org appears to be using it already, for instance.

Edit:

  $ whois isc.org | grep DNSSEC
  DNSSEC:Signed
link
andrewtj 5816 days ago
Regarding TLDs, you're again intimating that I have said something that I have not said.

I do not dispute that some people are able to use DNSSEC and this does not belie my original comment.

link
djcapelis 5816 days ago
Last week: No one could use DNSSEC. No one did. No one was affected.

Today: Many people can use DNSSEC. Some actually are. Some clients are affected. (Just obviously not yours, since you remain completely uncaring about the subject.)

I don't see how it could be any clearer.

link
tptacek 5816 days ago
You're messing with people's hope.

People want a story about how the Internet is getting a cool new security capability.

They especially want that story to come at the expense of Verisign and the SSL CA's.

Expect downvotes.

link