On Tue, 2 Oct 2012, Andrew Sullivan wrote:
I don't think this is the problem at all. The problem is that even if you can get that out at the end point (and I can, using DNSSEC Trigger),
Andrew, please have a drink at Second Cup next week when you're at ICANN. In fact, I'll buy it, you use the wifi to browse around :) The resolvers are broken for dnssec, other port 53 is blocked. You're on TCP only. You will see many timeouts and failures and trust me you will enable "insecure" within 5 minutes.
it does you no good because your application _can't tell_ what happened. If I'm a web browser programmer, I want to be able to know whether the DNSSEC validation worked before I start using the TLSA record.
Why? Are you going to ignore the TLSA record only when DNSSEC fails? In which case, an attacker will just trigger that. DNSSEC has to always come in, via port 53, port 80, or via x509 blobs. Paul _______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
