On 21 Aug 2015, at 9:49, Andi via Unbound-users wrote: > I also find it very useful because DNSSEC should be integrated per Device to > be useful/secure IMHO.
I must say I disagree with the statement, because it sounds like if usefulness of DNSSEC is black and white, yes or no. And that it is useless today as no validation is happening locally. In reality, you already today must trust various pieces of the zeroconf tussle, and one of them is the recursive resolver of your choice (or rather, the one your [trusted] DHCP server is giving to you). There are a multitude of attack vectors in the local network, but because of that, creating mechanisms for those to do a better job will make things better. And I am specifically thinking of the ability for a recursive resolver to do validation. So, I definitely think DNSSEC is useful even if validation is not happening in the local device. In Sweden, more than 95% of resolvers do validate DNSSEC signed responses (I think it was, according to Geoff measurements), and that is A Good Thing. More ISPs and cellphone providers etc should immediately turn on validation! Unfortunately statements like the one above I hear as arguments for not doing so. That said, I completely agree that the goal must be to have validation to happen locally, although that will in some cases (various mixed IPv6/IPv4 environments for example) will not work. But in those you are doomed anyway if you do not trust the local environment. > I hope that someday (soon) a validating resolver will be the default for > Android, at least in the more technical driven projekts like cyanogenmod. Completely agree with this! Patrik
signature.asc
Description: OpenPGP digital signature
