> * Masataka Ohta: > > > Caching servers not validating the response? > > Yes, this is still a widely-held view. To be honest, I don't think it > makes much sense. We need DNSSEC right now, not at some unknown > future date when operating system vendors have shipped security-aware, > validating stub resolvers for a while, so that there is finally a > client population which supports end-to-end DNSSEC. > > What's worse, end-to-end DNSSEC support for mobile devices (which move > from networks with resolvers which support end-to-end DNSSEC to > networks which don't) is a completely unsolved problem. We are > basically at stage 0: denial that the problem exists. Not good at > all.
The end state is likely to be something like. Machine ------------------------------------------------------ | DNSSEC aware client <-> validating iterative cache | ------------------------------------------------------ The DNSSEC aware client may or may not leave the validation to the validating iterative cache. At the moment we have HOME ISP ---------- --------- | client | <-> | cache | ---------- --------- Moving to the following generally would be a good steps forward HOME HOME ---------- ------------------------------ | client | <-> | validating iterative cache | ---------- ------------------------------ or Machine ----------------------------------------- | client <-> validating iterative cache | ----------------------------------------- as it puts the policy with the policy consumer. If you have a validating stub resolver you need to think about what cache it talks to. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: [EMAIL PROTECTED] _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop