On Wed, Apr 8, 2015 at 9:52 PM, Ryan Sleevi <[email protected]> wrote: > On Wed, April 8, 2015 6:27 pm, Phillip Hallam-Baker wrote:
>> If DNSSEC is ever deployed AND it becomes visible to clients then it >> could be relevant to this spec. But right now DNSSEC is not a viable >> mechanism for authenticating DNS RRs at the client. > > Agreed. And so how are you going to bootstrap security over an insecure > connection, without dealing with all of the threat scenarios explicitly > and implicitly addressed by the documents you're trying to > supplant/augment? We are agreed that the utility of DNSSEC is limited to authoritative name resolvers, if that. So rather than trying to build further on a dead end, I propose to work in the opposite direction. We have a deployed scheme that already works inband in HTTP, extending it to DNS publication is the logical next step to extend the scheme further. Once that is in place there is an incentive to deal with authenticating the DNS client-resolver connection. We can argue about the security benefits achieved through this particular proposal, but what do you expect from two pages? What I propose is that we take the low hanging fruit now and let folk who have complicated boil the ocean approaches continue to fend for themselves. _______________________________________________ websec mailing list [email protected] https://www.ietf.org/mailman/listinfo/websec
