> * Masataka Ohta:
>
> > Caching servers not validating the response?
>
> Yes, this is still a widely-held view. To be honest, I don't think it
> makes much sense. We need DNSSEC right now, not at some unknown
> future date when operating system vendors have shipped security-aware,
> validating stub resolvers for a while, so that there is finally a
> client population which supports end-to-end DNSSEC.
>
> What's worse, end-to-end DNSSEC support for mobile devices (which move
> from networks with resolvers which support end-to-end DNSSEC to
> networks which don't) is a completely unsolved problem. We are
> basically at stage 0: denial that the problem exists. Not good at
> all.
The end state is likely to be something like.
Machine
------------------------------------------------------
| DNSSEC aware client <-> validating iterative cache |
------------------------------------------------------
The DNSSEC aware client may or may not leave the validation
to the validating iterative cache.
At the moment we have
HOME ISP
---------- ---------
| client | <-> | cache |
---------- ---------
Moving to the following generally would be a good steps forward
HOME HOME
---------- ------------------------------
| client | <-> | validating iterative cache |
---------- ------------------------------
or
Machine
-----------------------------------------
| client <-> validating iterative cache |
-----------------------------------------
as it puts the policy with the policy consumer.
If you have a validating stub resolver you need to think
about what cache it talks to.
Mark
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: [EMAIL PROTECTED]
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
