In message
<a123a5d60906111838t460ca168l9cf797a486ec1cf1(_at_)mail(_dot_)gmail(_dot_)com>,
Phill
ip Hallam-Baker writes:
So we have totally abandoned the idea of doing DNSSEC in the end point clie=
nt?
No. Recursive nameserver need to validate the answers
returned from the DNS for their own uses. This doesn't
preclude other applications also validating answers. Having
recursive nameserver validate answers is not the end point
in DNSSEC deployment. It's just a good first step which
is good enough is some operational envionments. There are
however lots of operational envioronments where this would
not be good enough and the validation really needs to be
performed in the application.
For your light switch example a validating recursive resolver
is probably all you need.
For laptops you most probably want to move the validation
onto the laptop either in the application or by a running
a validation recursive nameserver on the laptop which may
or may not use the nameservers in the DHCP response as
forwarders. I do this today.
Trust roots have to be valid for at least a decade to be acceptable to
the application vendor community.
That's a unproved assumption.
And even though the current model of network administration is to
constantly fiddle with everything, I think that is going to have to
stop.
Lots companies already use private roots. Equipment
manufactures are not going to build equipment that can't
be used by those markets.
Mark
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka(_at_)isc(_dot_)org
_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf