In message <[EMAIL PROTECTED]>, Paul Wout
ers writes:
> On Fri, 28 Nov 2008, Andrew Sullivan wrote:
>
> > That said, I don't want to make light of the end-point problem, since
> > TSIG between a stub and a recursor isn't a trivial problem today
> > either. Moreover, since end nodes in many environments get their
> > recursor's address(es) via DHCP, and since that path is pretty easy to
> > compromise, the whole edifice rests on a sandy foundation.
> > Nevertheless, I just want to be clear that having every end node in
> > the world doing RFC 4035-and-friends validation is not the only path
> > to useful DNSSEC.
>
> It's worse. Before you can start validating on your own, or use some
> trusted remote TSIG accessable resolver, you are likely to need
> to accept some spoofs to get past the hotspot authentication.
Which is something the IETF should be providing / promoting
a standard alternative for. At present normal protocol
operations are being hijacked to do this.
Browsers could then have a "HOTSPOT" button which just looked
up this information, for example.
Mark
> Then you need prevent your browser from caching them too much (they
> do fastflux protection), and your own potential resolver needs to
> dump the answers once it has a real IP link to the real world.
>
> I don't know of any method to both allow hotspot access and fully
> use DNSSEC.
>
> Paul
> _______________________________________________
> Ietf mailing list
> [email protected]
> https://www.ietf.org/mailman/listinfo/ietf
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: [EMAIL PROTECTED]
_______________________________________________
Ietf mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/ietf
