In message
<201010210114(_dot_)o9L1E0MH004556(_at_)fs4113(_dot_)wdf(_dot_)sap(_dot_)corp>,
Martin Rex writes
:
Phillip Hallam-Baker wrote:
The weakest DNS architectural idea is the notion that DNS resolvers are
untrusted. This is simply wrong. Every DNS resolver performs a trusted role
.
Nope, just the opposite. Name to address translation is meant to
be an extremely lightweight and fast service.
The DNS is not just name to address translation.
Hostnames are NOT supposed to be trusted in any way and it a serious
misconception to think they're trusted.
If you want to authenticate your peer, use something like an SSH host key.
And how do you know you should trust the host key the remote machine presents?
The routing of datagrams on the internet is also untrusted, so any notion
that a service that translates hostnames into IP-Addresses should be
trusted is fatally flawed and is totally ignorant about the fundamental
architecture of the internet.
-Martin
_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka(_at_)isc(_dot_)org
_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf