"Russ" == Russ Housley <housley(_at_)vigilsec(_dot_)com> writes:
Russ> I have been approached about a plenary experiment regarding
Russ> DNSSEC. The idea is for everyone to try using DNSSEC-enabled
Russ> clients during the plenary session. I like the idea. What do
Russ> others think?
In this case, it's really not about the clients, I think.
It's about making the IETF DNS servers (the recursive ones), have
DNSSEC processing on. They would authenticate the answers, and discard
responses which should have been signed, but were not.
An appropriate set of trust anchors would need to be agreed upon, and
a decision whether or not to enable DLV or not would need to be made.
I will point out that (unless we close port-53 outgoing), that anyone
who wants to run their own recursive name server (a requirement if you
run windows and the room is IPv6 only...), or who points their
/etc/resolv.conf to their own name server, will not really be affected.
I do not suggest we close port 53 :-)
I am in favour (and hope to be there).
I would also volunteer to help set it up.
--
] ON HUMILITY: to err is human. To moo, bovine. | firewalls [
] Michael Richardson, Sandelman Software Works, Ottawa, ON |net architect[
] mcr(_at_)sandelman(_dot_)ottawa(_dot_)on(_dot_)ca
http://www.sandelman.ottawa.on.ca/ |device driver[
] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [
_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf