On Thu, Mar 06, 2014 at 11:09:33PM +0000, Dan York wrote: > this case of the attacker controlling the recursive resolver, I > don't know that any of the various solutions thrown around today > would do anything to help with this.
But this was exactly the question I (among others) was trying to ask at the mic. From whom exactly are we trying to protect ourselves? If one of the answers is, "our immediate upstream resolver", there's actually a possible answer to that: either don't have one, or prove that the one you're talking to is one you can trust. But to start that discussion, we first have to figure out from whom we are protecting ourselves. Best regards, A -- Andrew Sullivan a...@anvilwalrusden.com _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
