On Feb 25, 2010, at 8:41 AM, Paul Wouters wrote:
On Wed, 24 Feb 2010, Phillip Hallam-Baker wrote:
I would like to see us create an assumption that a given machine will
only use recursive resolution services from a specific trusted source.
Trust no one.
You have to trust someone. Really.
More and more devices will do their own DNSSE validation,
and just use caches to get the data.
This must means those devices trust your their validator (and the operating
system it is running on). Which is fine (and, in fact, what I'd argue is the
right answer), but it means you have to figure out how to securely obtain and
install the root trust anchor (or the TLD trust anchors or the DLV trust
anchor).
[Oh we are so not close to being done with deployment here. If turning
on DNSSEC means the typical Web surfer cannot get their WiFi access at
Panera without reconfiguring their machine then DNSSEC is stone cold
dead.]
You have to do this in many cases with non-DNSSEC DNS already. T-Mobile Hot
Spot service, for example, requires you to use their DNS servers so you can't
run your own validator. It really is quite annoying.
Regards,
-drc
_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf