> Florian Weimer wrote: > > >>Caching servers not validating the response? > > > Yes, this is still a widely-held view. To be honest, I don't think it > > makes much sense. We need DNSSEC right now, not at some unknown > > future date when operating system vendors have shipped security-aware, > > validating stub resolvers for a while, so that there is finally a > > client population which supports end-to-end DNSSEC. > > Fortunately enough, we don't need DNSSEC at all. > > > What's worse, end-to-end DNSSEC support for mobile devices (which move > > from networks with resolvers which support end-to-end DNSSEC to > > networks which don't) is a completely unsolved problem. We are > > basically at stage 0: denial that the problem exists. Not good at > > all. > > What's wrong with resolvers on mobile hosts? I'm afraid you are > assuming roaming over private IP networks without end-to-end > visibility, which is often the case with 3GPP, which is not > a problem of the Internet. > > BTW, DNS is definitely not end-to-end, because it relies on > intelligent intermediate eitities of name servers.
Actually it doesn't. It can be configured that way but there is no requirement to actually use a caching nameserver. Authoritative nameserver to iterative client works. > > Masataka Ohta > > -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: [EMAIL PROTECTED] _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop