On 8.4.2014 16:10, Joe Abley wrote:
On 8 Apr 2014, at 9:54, Petr Spacek <[email protected]> wrote:
On 8.4.2014 15:20, Edward Lewis wrote:
From the linked message:
Let me quote very first part of the message to put it into context:
People start to disagree when it comes to questions like "Is it feasible to
rely on a local validating resolver in the near future? How can applications
detect that a validating resolver is not configured and that DNS responses
can't be trusted?"
Aim of the proposal below is to enable applications to stay safe on systems
without a validating resolver.
In other words, we are looking for a way how to augment current APIs to move
DNSSEC-related knobs from applications to system-wide level (so you don't need
to tweak OpenSSH config and Postfix config separately, for instance).
I think introducing a new API to inform applications as to what security
measures are in place is going to be messy and complex. The better approach is
surely to let applications decide what features they want and specify them
through the same API they use to perform DNS resolution, e.g.
http://www.vpnc.org/getdns-api/
I definitely agree that new API is necessary, but I'm afraid that it is long
term effort. Unfortunately, many (non-DNS-related projects) have roadmaps
filled with more interesting stuff (for them) than a new fancy DNS API.
I would rather see RFC 4025, RFC 4255, draft-wouters-dane-openpgp and
draft-wouters-dane-openpgpkey-usage to be practically implemented and widely
used sooner than later.
Thank you for your time.
--
Petr Spacek @ Red Hat
_______________________________________________
DNSOP mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dnsop
