On Fri, 28 Nov 2008, Andrew Sullivan wrote:
That said, I don't want to make light of the end-point problem, since
TSIG between a stub and a recursor isn't a trivial problem today
either. Moreover, since end nodes in many environments get their
recursor's address(es) via DHCP, and since that path is pretty easy to
compromise, the whole edifice rests on a sandy foundation.
Nevertheless, I just want to be clear that having every end node in
the world doing RFC 4035-and-friends validation is not the only path
to useful DNSSEC.
It's worse. Before you can start validating on your own, or use some
trusted remote TSIG accessable resolver, you are likely to need
to accept some spoofs to get past the hotspot authentication.
Then you need prevent your browser from caching them too much (they
do fastflux protection), and your own potential resolver needs to
dump the answers once it has a real IP link to the real world.
I don't know of any method to both allow hotspot access and fully
use DNSSEC.
Paul
_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf