On Jun 12, 2012, at 4:14 AM, Stephane Bortzmeyer wrote: > On Tue, Jun 12, 2012 at 03:32:56AM +0000, > Vernon Schryver <v...@rhyolite.com> wrote > a message of 76 lines which said: > >> Joe and Joan should be using their ISP's validating, load balancing, >> well (or at least somewhat) maintained DNS servers, just as they >> should be using their ISP's SMTP systems. > > A strong NO here.
+lots. > Politically, it would be a big nail in Net > Neutrality's coffin. Also, many ISP have lying resolvers and customers > should NOT use them. From a security perspective, it would be > catastrophic since the last mile is not secured, so the only safe way > to run DNSSEC is to validate locally (which requires access to port 53 > if the ISP resolver is lying). > And it seems that the huge majority of "lying" is being performed at the ISP resolvers. See the numerous papers on "NXDOMAIN rewriting", Paxfire / Xerocole / Barefruit, etc, one of the better of which is Christian, Nicholas and Vern's "Redirecting DNS for Ads and Profit" ( http://www.icir.org/christian/publications/2011-foci-dns.pdf ) There are also a huge number of really poorly run (and slow!) ISP recursive resolvers. Having the ability to run your own validating recursive is critical… W > I leave these proposals to MAAWG and the Chinese government. > > _______________________________________________ > dns-operations mailing list > dns-operations@lists.dns-oarc.net > https://lists.dns-oarc.net/mailman/listinfo/dns-operations > dns-jobs mailing list > https://lists.dns-oarc.net/mailman/listinfo/dns-jobs > -- "Go on, prove me wrong. Destroy the fabric of the universe. See if I care." -- Terry Prachett _______________________________________________ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
