> Florian Weimer wrote:
>
> >>Caching servers not validating the response?
>
> > Yes, this is still a widely-held view. To be honest, I don't think it
> > makes much sense. We need DNSSEC right now, not at some unknown
> > future date when operating system vendors have shipped security-aware,
> > validating stub resolvers for a while, so that there is finally a
> > client population which supports end-to-end DNSSEC.
>
> Fortunately enough, we don't need DNSSEC at all.
>
> > What's worse, end-to-end DNSSEC support for mobile devices (which move
> > from networks with resolvers which support end-to-end DNSSEC to
> > networks which don't) is a completely unsolved problem. We are
> > basically at stage 0: denial that the problem exists. Not good at
> > all.
>
> What's wrong with resolvers on mobile hosts? I'm afraid you are
> assuming roaming over private IP networks without end-to-end
> visibility, which is often the case with 3GPP, which is not
> a problem of the Internet.
>
> BTW, DNS is definitely not end-to-end, because it relies on
> intelligent intermediate eitities of name servers.
Actually it doesn't. It can be configured that way but
there is no requirement to actually use a caching nameserver.
Authoritative nameserver to iterative client works.
>
> Masataka Ohta
>
>
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: [EMAIL PROTECTED]
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
