----- Original Message ----- From: "Stephane Bortzmeyer" <[email protected]> To: "YAO Jiankang" <[email protected]> Cc: "IETF DNSOP WG" <[email protected]> Sent: Tuesday, May 05, 2009 10:46 PM Subject: Re: [DNSOP] where is the validating resolver ? Re: WGLC: DNSSECTrust Anchor Configuration and Maintenance
> On Tue, May 05, 2009 at 10:01:42AM +0800, > YAO Jiankang <[email protected]> wrote > a message of 16 lines which said: > >> it usally locates in the local host as the same as the normal >> resolver? > > You mean stub resolver? Because, on the vast majority of machines, the > normal resolver is certainly not "in the local host". > >> or it usually locates in recursiver name server or some special >> host? > > Both are possible and reasonable and I do not think it would be wise > to mandate one specific approach. > >> if it usally locates in the local host as the same as the normal >> resolver, every machine must be configured at leat one trust >> anchor. so the local machine need a lot of computing resources to >> finish the resolving process. > > Management of trust anchors is certainly a big issue, computing > resources are not for the typical PC, which has so many unused > processing power that it must run 3D screensavers to use at least a > part of it. > thanks for your information. so we can say that in the current practise, the (validating ) resolvers are not run by local host or machine. >> if it usually locates in recursiver name server or some special >> host, the local host just send a query to that machine. if so, the >> data transfered between the local lost and the resolver is not >> secured, we need another mechanism to secure the data transfer. > > The client and the recursive resolver are often in the same network > (for some definition of network, I did not say "in the same LAN") so if we can say if dnssec is not supported by tsig or ipsec, it is still not safe since the client and the recursive resolver are not secured ? >so > the security issues are less pressing than in the global Internet. maybe it is less pressing, but if the security problems occure "in the same LAN", it will be more serious for the local users than the problem in the global internet, and impact all the users "in the same LAN". > _______________________________________________ > DNSOP mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/dnsop _______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
