I support Hallam-Baker views on this. Regards, /Janvier Ngnoulaye Le Mer 8 avril 2015 21:37, Phillip Hallam-Baker a écrit : > On Wed, Apr 8, 2015 at 9:52 PM, Ryan Sleevi <[email protected]> > wrote: > >> On Wed, April 8, 2015 6:27 pm, Phillip Hallam-Baker wrote: >> > >>> If DNSSEC is ever deployed AND it becomes visible to clients then it >>> could be relevant to this spec. But right now DNSSEC is not a viable >>> mechanism for authenticating DNS RRs at the client. >> >> Agreed. And so how are you going to bootstrap security over an insecure >> connection, without dealing with all of the threat scenarios >> explicitly and implicitly addressed by the documents you're trying to >> supplant/augment? > > We are agreed that the utility of DNSSEC is limited to authoritative > name resolvers, if that. > > So rather than trying to build further on a dead end, I propose to > work in the opposite direction. We have a deployed scheme that already > works inband in HTTP, extending it to DNS publication is the logical next > step to extend the scheme further. Once that is in place there is an > incentive to deal with authenticating the DNS client-resolver connection. > > We can argue about the security benefits achieved through this > particular proposal, but what do you expect from two pages? > > What I propose is that we take the low hanging fruit now and let folk > who have complicated boil the ocean approaches continue to fend for > themselves. > > _______________________________________________ > websec mailing list [email protected] > https://www.ietf.org/mailman/listinfo/websec > >
_______________________________________________ websec mailing list [email protected] https://www.ietf.org/mailman/listinfo/websec
