Viktor Dukhovni wrote: > ... > > What's attractive here, is that real resolvers (local to the same > device) already have the requisite feature-set, and there's no need > to augment stub resolvers with features already handled by local > recursive resolvers. If a device is too dumb to run a separate > resolver process, I don't expect it'll have a trustworthy DNSSEC > implementation in its stub resolver.
trusting a dns response's AD bit to tell you that the responder has done careful signature checking all the way back to a trust anchor you have confidence in, doesn't fit the hotel or coffee shop scenario -- you do not want your hotel or coffee shop in the role of making a secure introduction between you and your bank, for example. serious security -- that is, which passes the laugh test -- is end to end. -- P Vixie _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
