On Thu, 28 Nov 2013, Glen Wiley wrote:
Asking the LAN's resolver for a specific record (type ENCRYPT to QNAME
".") seems a bit dangerous. This is of course completely MITM-able, but
I see no real other way to trust something fundamentally untrustworthy. So
that's okay. But I fear too many of these queries might end up on AS112.
I'd rather see an EDNS advertisement.
If the query is done via validated DNSSEC [...]
You cannot do that. The DNS resolver DHCP gave you is 192.168.1.1. How are
you validating anything? how will you distinguish my rogue 192.168.1.1 from
the real starbucks 192.168.1.1?
That's why the recursive case is so different from the authoritative
case.
Paul
_______________________________________________
DNSOP mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dnsop
