On Wed, Oct 03, 2012 at 12:49:20AM +0000, Vernon Schryver wrote: > web for most connected computers (e.g. phones). Writing DNSSEC > validation code for every application that depends on accurate DNS > data would be as crazy as not using libraries and daemons for other > local authentication and authorization.
Just in case it wasn't plain (I guess it wasn't), I am not arguing that this is a good state of affairs. I was merely arguing that Paul's description of the problem is the wrong one. There is no validation at the edge at least in part because applications can't consume it, so there's no point. I have no idea whether the ability to consume that validation information would change the state of affairs, but it's certainly a necessary condition for TLSA use. A -- Andrew Sullivan [email protected] _______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
