On Apr 30, 2014, at 3:12 PM, Nicholas Weaver <[email protected]<mailto:[email protected]>> wrote: On Apr 30, 2014, at 12:08 PM, Dan York <[email protected]<mailto:[email protected]>> wrote: But overall the technology behind DNSSEC is very solid and is not the deployment challenge. There is one key problem with DNSSEC to the user's system: 1%+ of the network rejects it, because the user is behind a device which blocks 3rd-party DNS requests and forces all requests through a non-DNSSEC-supporting recursive resolver. Yes, this is an issue. Wes Hardaker, Olafur Gudmundsson and Suresh Krishnaswamy have done a good job of documenting this and other related issues in this I-D: http://tools.ietf.org/html/draft-ietf-dnsop-dnssec-roadblock-avoidance (And they are certainly open to comments and feedback on the draft.) Dan -- Dan York Senior Content Strategist, Internet Society [email protected]<mailto:[email protected]> +1-802-735-1624 Jabber: [email protected]<mailto:[email protected]> Skype: danyork http://twitter.com/danyork http://www.internetsociety.org/deploy360/
_______________________________________________ perpass mailing list [email protected] https://www.ietf.org/mailman/listinfo/perpass
