DNSsec is very important for other reasons, such as the current
pharming attacks. The risks have been known in the security community
since at least 1991, and publicly since at least 1995. The long-
predicted attacks are now happening. We really need to get DNSsec
deployed, independent of mDNS or LLMNR. Given that there is now some
forward progress on DNSsec, it's not at all unreasonable for either or
both of those specs to rely on it to solve some of their particular
security risks.
Couldn't agree more. But if I'm not mistaken, the current DNSSEC
specifications do not mandate that DNS stub resolvers be DNSSEC-aware
validating, which is what would be required for use in a peer-to-peer name
resolution protocol. There is also the DNSEXT WG edict that mDNS/LLMNR
not share a cache with DNS, which makes it difficult for mDNS/LLMNR to
utilize trust anchors or acquired keys present in the DNS cache.
_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/ietf