On Tue, Oct 02, 2012 at 08:55:12PM -0400, Paul Wouters wrote: > The resolvers are broken for dnssec, other port 53 is blocked. You're > on TCP only. You will see many timeouts and failures and trust me you > will enable "insecure" within 5 minutes.
Yep, I know. But my point (which I apparently stated so badly that it was impossible to understand) is that it _doesn't matter_ if you can get DNSSEC out at the edge, if the application can't tell. > >know whether the DNSSEC validation worked before I start using the > >TLSA record. > > Why? Are you going to ignore the TLSA record only when DNSSEC fails? In > which case, an attacker will just trigger that. No. Rather, if I'm going to consume the TLSA record, I need some sort of confidence that the record was obtained securely. A -- Andrew Sullivan [email protected] _______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
