> From: Derek Atkins [mailto:[email protected]]
> 
> And you've already violated rule #1: You must trust your resolver.

That's the point we've been talking about.  I forget who said in this thread, 
that DNSSEC only provides security up to the last hop, not including the 
endpoint.

It is unavoidable that people will travel; they will connect to the internet in 
coffee shops and hotels.  It is not reasonable or realistic to expect them to 
trust their DNS resolver implicitly.  You cannot trust the resolver, unless you 
are your own resolver, or the resolver relays security information to you which 
you're able to validate for yourself.  It is unscalable for everybody to be 
their own resolver - breaking the distributed nature of DNS.  So really, the 
only scalable solution is to provide security information to the endpoints.  
Unfortunately, it's also unrealistic to expect all the dumb linksys routers and 
comcast internet connections of the world to be upgraded in any timely manner 
to support relaying security information to endpoints.  Yes it's possible for 
smart endpoints to query DNS providers as dictated by DHCP, and become their 
own secure resolvers if and only if the dumb DNS server failed to relay 
security information - but this starts out at the point o
 f being currently unscalable.

We'll probably get there someday, just obviously not right now.
_______________________________________________
Discuss mailing list
[email protected]
http://lists.blu.org/mailman/listinfo/discuss

Reply via email to