On Feb 17, 2013, at 3:34 PM, Paul Hoffman <[email protected]> wrote: > Because I am my own operator. Yes, you want to be my nanny; no, I didn't ask > you to be.
I don't want to be _your_ nanny. But you are one of the other two dozen people in the world with some inkling of how DNSSEC works. You aren't the person that I mean to protect when I say this UI MUST NOT happen. > That would work for me too, but not "you're a host, so you cannot use > negative trust anchors", which is what Jason's proposed text said. Hence the discussion. But it is worth paying attention to the way that this solution breaks the assumptions of the DNSSEC security model. In the case of a validating resolver at the ISP level, it doesn't, because if you're trusting a validating resolver without a secure path to it, you're basically just looking for protection against cache spoofing. If you have a validating resolver on your host, this gives you much stronger security guarantees; if you then enable negative trust anchors from an ISP list, you are back to the external validator level of security, which is a potentially _substantial_ downgrade, depending on what kind of security your provider offers. _______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
