On Wed, May 06, 2009 at 11:11:35AM +0800, YAO Jiankang wrote: > > thanks for your information. > so we can say that in the current practise, the (validating ) resolvers are > not run by local host or machine. >
I don't think you can say that. What you can say is that in current practice, DNSSEC is hardly deployed at all. Microsoft's current plan is to deploy the validator in the recursive resolvers first, relying on IPSec between the end nodes and the recursive resolver to secure that last hop. For many environments, that's a perfectly good answer (but it surely won't be the right answer to every case). > so if we can say if dnssec is not supported by tsig or ipsec, it is still > not safe since the client and the recursive resolver are not secured ? > Or SIG(0), or by pushing validation out to the end node. Note that each end node is in a position to do this for itself. If a request arrives at a recursive, validating resolver with the CD bit set, then that recursive resolver MUST return whatever security data it gets to the originating queryier. It also MAY do validation itself according to local policy, but it's not allowed to return SERVFAIL if the validation fails: it's just supposed to hand back the apparently-bogus answer anyway. This allows for the case where the end node has a trust anchor that will allow the response to validate, even though the intermediate system (i.e. recursing resolver) doesn't. A -- Andrew Sullivan [email protected] Shinkuro, Inc. _______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
