Hi Warren On Sun, Oct 12, 2014 at 06:28:46PM +0530, Mukund Sivaraman wrote: > * pros compared to DNSSEC related to authenticated data (apart from security): > + There'd be no need to use DNSSEC when DNSCurve is used as > it also authenticates data (keys are associated with the zone). For > example, with such a system a stub might query a cache with AD=1 and > DO=0 (RFC 6840) and receive what it can consider authentic data.
In reply to my own mail, I take this back.
My colleague pointed out that some applications now do end-to-end
validation (not simply trust the AD bit, but check signatures). In this
case, DNSSEC would absolutely be necessary to use cached answers.
It would also be necessary when there's no direct route to a remote
authoritative server to get data authenticated as part of transport.
> + The entity supplying the DNS data cannot use another untrusted
> party's nameserver to serve it, as they cannot give them a pre-signed
> zone.
And this too, such as for root and various secondary DNS hosting
services.
Mukund
pgph0YUOkFhL8.pgp
Description: PGP signature
_______________________________________________ dns-privacy mailing list [email protected] https://www.ietf.org/mailman/listinfo/dns-privacy
