=JeffH (Jeff.Hodges) writes:
>
> Thomas Ptacek replies to various questions re his original post..
>
> questions and answers from "Against DNSSEC"
> http://sockpuppet.org/stuff/dnssec-qa.html
Well, it's certainly opinionated, but there's a couple of points
worth addressing:
* Can’t end-systems validate DNSSEC records themselves rather than trusting
servers?
Sure they can. Everyone can also just run their own caching server. They
don’t, though, because the protocol was designed with the expectation
that they wouldn’t (this squares with the overall design of the DNS,
in which stub resolvers cooperate to reduce traffic to DNS authority
servers by relying on caching servers). DNSSEC deployment guides go
so far as to recommend against deployment of DNSSEC validation on
end-systems. So significant is the inclination against extending DNSSEC
all the way to desktops that an additional protocol extension (TSIG) was
designed in part to provide that capability.
That's a bit of an old view at this point. Isn't the idea these days
to validate as close to the user as possible ?
Either T. Ptacek is purposefully ignoring this, or we're really
bad at explaining it :)
* What’s so important about secret hostnames? Is revealing hostnames
really that big a problem?
He seems to be refering to zone walking with NSEC - which he kind of
but not really addresses in the original post (there he says that
minimally covering NSEC3 records aren't the default - based on what
implementation ?).
Cheers,
Phil
