Hi, >> I’d like to trust the signed portion of DNS, and build security systems on >> top of that. So the _old_ DNS isn’t the right thing for the applications I >> have in mind. > > Could you expand a bit on the kind of applications you have in mind?
Anything that bases security on DNS info, really; just a few that spring to mind: - public key info such as TLSA and CERT records - in some cases, perhaps, references to services (to avoid MITM scenarios based on DNS) - Kerberos currently mistrusts DNS for non-configured domain lookups, and must therefore be configured manually, which is a shame if DNSSEC can help DNSSEC offers an opportunity to secure DNS; the current assumption is that the provider of the information chooses whether or not to secure it; but in some cases the user of the information wants to be able to constrain the information to be trusted to only information that is certainly correct. -Rick _______________________________________________ Unbound-users mailing list [email protected] http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users
