Florian Weimer wrote:
>>Caching servers not validating the response?
> Yes, this is still a widely-held view. To be honest, I don't think it
> makes much sense. We need DNSSEC right now, not at some unknown
> future date when operating system vendors have shipped security-aware,
> validating stub resolvers for a while, so that there is finally a
> client population which supports end-to-end DNSSEC.
Fortunately enough, we don't need DNSSEC at all.
> What's worse, end-to-end DNSSEC support for mobile devices (which move
> from networks with resolvers which support end-to-end DNSSEC to
> networks which don't) is a completely unsolved problem. We are
> basically at stage 0: denial that the problem exists. Not good at
> all.
What's wrong with resolvers on mobile hosts? I'm afraid you are
assuming roaming over private IP networks without end-to-end
visibility, which is often the case with 3GPP, which is not
a problem of the Internet.
BTW, DNS is definitely not end-to-end, because it relies on
intelligent intermediate eitities of name servers.
Masataka Ohta
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
