-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 > -----Original Message----- > From: dnsop-boun...@ietf.org [mailto:dnsop-boun...@ietf.org] On Behalf Of > Mark Andrews > Subject: Re: [DNSOP] Comments on draft-livingood-dns-redirect-00 > > > In message <6.2.5.6.2.20090714124754.030b6...@elandnews.com>, SM writes: > > In Section 8.4, it is mentioned that "the owner of example.com may > > request that the ISP or DNS ASP not perform DNS Redirect for the > > example.com domain". It will be a lot of work to contact all the > > ISPs, if that is even possible, to submit such a request. > > If the zone is signed it can be reasonably assumed that the owner > doesn't want the answers modified as they have taken steps to ensure > that such modifications are detected.
This actually bugs me as well. I can imagine that with wide deployment of DNSSEC, applications like browsers, email, ftp, ssh, ntp, etc. etc. clients, apps and ticker tools, will post warnings to users when validation for a domain name has failed. Validation will be done on the client. Same way as for SSL certification. When it becomes practice to redirect DNS traffic for signed NXdomain responses, it will also become practice for ordinary users to click away such warnings, and they become used to clicking away the errors, perhaps even demanding a configurable option in the client to discard security warnings. This does not help in educating the general public, who we are trying to protect from malicious content and forgeries. Antoin Verschuren Technical Policy Advisor SIDN Utrechtseweg 310, PO Box 5022, 6802 EA Arnhem, The Netherlands P: +31 26 3525500 F: +31 26 3525505 M: +31 6 23368970 mailto:antoin.verschu...@sidn.nl xmpp:ant...@jabber.sidn.nl http://www.sidn.nl/ -----BEGIN PGP SIGNATURE----- Version: 9.6.3 (Build 3017) wsBVAwUBSl2DNjqHrM883AgnAQizIQf/WRwD90M4apEi2DnNs8Z6ZSLy/l1uVcsu /FARwRwKcHcVaw92nrQ2yfI50MryAnurfSTqGkaEUSHE795VxxwRbdxRmmHrfxZW zD+jR5z1NdG8IsaBLfEWsfFcoZBLRzk7KMRQIkNW0GXUvUDsRlrOJdlfOeF01PKF C/Yz6MxpNK+n/8vgxyuZw+P4WHspeeFvSAOtMmZpfTS4bwfyc+eWG6z0zeMor506 EG1HIW7zD/AqLmigzM4w6xWDa6zZI1rB6sat++h1b80sn5bN5fRBRCdhF2psGgDr a+v6m/UDnCsNSRY6ZZ4PB6sEQccnA5krNoFPgkUuaKqPNTpcr/vq3g== =MrDZ -----END PGP SIGNATURE----- _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
