On 2012-10-02 7:48 PM, Warren Kumari wrote: > DNSSEC on the *host / stub* would have though.
this doesn't work at the moment, even when there's code on the stub that supports it, which is rare and experimental. i occasionally turn on a recursive name server on my laptop, but it's very rare that udp/53 is allowed through a wireless gateway in a hotel or coffee shop, and when it is, edns usually triggers an immune response because the gateway "knows" that additional data sections of queries are empty. when this doesn't fail, the multipacket response is damaged by dropping all fragments after the first one. if ietf hadn't declared the dns protocol finished, and were not even now working to close up the dnsext working group, i'd propose that we develop a standard for carrying edns over tcp/80 and/or tcp/443, which is for most mobile users what "the internet" consists of. i'm not sure how we expect DANE to make any difference when we don't have working last mile DNSSEC. paul _______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
