> Phillip Hallam-Baker <mailto:[email protected]> > Thursday, October 23, 2014 11:25 AM > > > ... > Bottom line is that if you try to use port 53 for client-recursive you > will find yourself under MITM attack much of the time. And its not > even all malicious. A lot of ISPs are MITM the DNS traffic so they > don't get one of the big TLDs onto their case for allowing their > customers to do DDoS.
my bottom line is related and similar: rdns is hard, and can't scale to the actual internet access edge, currently two billion or more devices, and growing; we need a well guarded path (like HTTPS without any X.509 CA intermediaries telling us what key to trust -- SSL keying material has to be exchanged in some more-trustful way), to get from large numbers of stubs to moderate numbers of recursives. otherwise the DNS data path leading to the edge will continue to look like, and be treated like, raw meat by the thin margin internet access providers looking to plump up their revenue by selling ads one way and telemetry the other way. -- Paul Vixie
_______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
