On Fri 2015-07-31 11:51:49 -0400, Watson Ladd wrote:
> On Jul 31, 2015 8:49 AM, "Viktor Dukhovni" <[email protected]> wrote:
>> If the *local/loopback* resolver happens to use the ISP as a
>> forwarder, that's not especially relevant, modulo the usual privacy
>> considerations.
>
> It absolutely is relevant. It means an OS provided component can
> completely change the security guarrienties of an application with no
> visible sign. I don't like that.
Isn't this always the case? The OS can change out system libraries,
update local services, and can replace critical files (like default
trust anchor stores) already.
Viktor's proposal of always relying on a privileged port on the loopback
is a little scary, but it's certainly no scarier than the maintenance
quagmire of each application shipping its own complex DNSSEC
parsing/querying/validating stack.
--dkg
_______________________________________________
Uta mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/uta
