On Tue, 19 Aug 2008, Masataka Ohta wrote:
You mean all the DNSSEC clients should directly ask authoritative
nameservers and all the firewalls preventing so should be modified.
(distributed) point to point encryption (or validation) is the future!
Let's assume all the clients agree with you and start using DNSSEC
and all the administrators of firewalls agree with you and perform
modification (though I don't know how NAT can be modified).
I see no problem for port 53 through NAT's. That is when using DNSSEC.
When not using DNSSEC, you have issues with NAT devices undoing your
source port randomizations. Also, firewall admins can still do things
like transparent proxying of DNS. But really, so many desktop applications
do direct DNS now themselves with disregard of the OS, those networks
would be broken anyway.
Then, the increased load is a very good reason for root servers not
support DNSSEC.
I believe 99% of the load of root servers is bogus queries anyway.
Plus, I'm sure they wouldn't mind an increase to signal/noise ratio.
Plus, those are addressed my things like anycast. It all scales fairly
well, DNS being a distributed system and all. I'll take this argument
as valid as soon as a root server operator comes forward and tells us
this is a problem. For YOUR objections, let's stick to YOUR problems.
I am curious what you propose as an alternative.
Abandon DNSSEC and accept the reality that, even with DNSSEC,
management of DNS is not very secure.
That's not an alternative (nor correct)
Paul
_______________________________________________
DNSOP mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dnsop
