On Thu, 18 Feb 2010, Phillip Hallam-Baker wrote:
The point is not to protect the DNS. The point is to protect the
people. And that means that maybe you don't want your machine to
resolve every domain name.
That sounds very much like the tapping/crypto debate. "You may not
secure your communications because we're using its weaknesses for your
protection".
Not securing DNS because some people are using it for something completely
different, namely a filtering service, is not an acceptable solution.
But besides that, services like opendns can still fetch and validate DNS,
and then continue strip it and rewrite it for those endusers that prefer
such a service. DNSSEC does not change that at all.
Paul
_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf