It seems to me that the main benefit of SIG(0) is not securing connections between resolvers and caches, but in securing DNS updates and other transfers where you need authentication+authorization. In the case where you just need authentication, we already have DNSSEC. I _guess_ Warren's use case makes some sense, but I think it's a bit hackerly, and not something we'd expect to see wide deployment.
On Fri, Jun 22, 2018 at 9:41 AM, Vladimír Čunát <vladimir.cunat+i...@nic.cz> wrote: > On 06/22/2018 12:27 AM, Ted Lemon wrote: > > Thanks. In the case where a zone isn’t signed but the authoritative > > server supports SIG(0), the response could be verified that it > > includes exactly what the server sent. But the KEY would need to be > > DNSSEC validated or it probably can’t be trusted to verify the SIG(0) > > response. > > Well, the path to the resolver can be secured via other means that are > commonly available nowadays, e.g. DNS over TLS. I can also see use > cases for client trusting a resolver enough not to bother with DNSSEC > validation locally. > > --Vladimir > > _______________________________________________ > DNSOP mailing list > DNSOP@ietf.org > https://www.ietf.org/mailman/listinfo/dnsop >
_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
