In message
<alpine(_dot_)LFD(_dot_)1(_dot_)10(_dot_)1002181937210(_dot_)25953(_at_)newtla(_dot_)xelerance(_dot_)com>,
Paul Wouters writes:
On Thu, 18 Feb 2010, Phillip Hallam-Baker wrote:
The point is not to protect the DNS. The point is to protect the
people. And that means that maybe you don't want your machine to
resolve every domain name.
That sounds very much like the tapping/crypto debate. "You may not
secure your communications because we're using its weaknesses for your
protection".
Not securing DNS because some people are using it for something completely
different, namely a filtering service, is not an acceptable solution.
But besides that, services like opendns can still fetch and validate DNS,
and then continue strip it and rewrite it for those endusers that prefer
such a service. DNSSEC does not change that at all.
DNSSEC can even be used to secure reputation data to allow different
applications on the same box to make different decisions about
whether or not to trust the data returned from the DNS even if it
is signed using DNSSEC or not.
One could also use EDNS options to tell the recursive resolver
whether to filter or not a particular query or to pass back a
recommendations to filter the response. The data itself would still
be signed and verifiable. The recommendation itself can be secured
with TSIG/SIG(0).
Mark
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka(_at_)isc(_dot_)org
_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf