Exactly, The pre-DNSSEC application architecture for DNS is now obsolete.
We have at this point only developed a technical infrastructure for securing DNS responses. Developing the application architecture to leverage that opportunity still lies ahead of us. But even in the new world of DNSSEC with end-to-end authentication, the resolver plays a role that requires trust and thus should be chosen and trusted. On Wed, Oct 20, 2010 at 9:55 PM, Mark Andrews <[email protected]> wrote: > > In message <[email protected]>, Martin Rex > writes > : > > Phillip Hallam-Baker wrote: > > > > > > The weakest DNS architectural idea is the notion that DNS resolvers are > > > untrusted. This is simply wrong. Every DNS resolver performs a trusted > role > > . > > > > Nope, just the opposite. Name to address translation is meant to > > be an extremely lightweight and fast service. > > The DNS is not just name to address translation. > > > Hostnames are NOT supposed to be trusted in any way and it a serious > > misconception to think they're trusted. > > > > If you want to authenticate your peer, use something like an SSH host > key. > > And how do you know you should trust the host key the remote machine > presents? > > > The routing of datagrams on the internet is also untrusted, so any notion > > that a service that translates hostnames into IP-Addresses should be > > trusted is fatally flawed and is totally ignorant about the fundamental > > architecture of the internet. > > > > -Martin > > _______________________________________________ > > Ietf mailing list > > [email protected] > > https://www.ietf.org/mailman/listinfo/ietf > -- > Mark Andrews, ISC > 1 Seymour St., Dundas Valley, NSW 2117, Australia > PHONE: +61 2 9871 4742 INTERNET: [email protected] > -- Website: http://hallambaker.com/
_______________________________________________ Ietf mailing list [email protected] https://www.ietf.org/mailman/listinfo/ietf
