mind if i cut in? On Saturday, 25 April 2020 06:23:54 UTC Vladimír Čunát wrote: > Original subject: New draft on delegation revalidation > > On 4/24/20 4:49 PM, Shumon Huque wrote: > > ... > > ...
(agreeableness.) > Still, note that for some consumers the secure transport may be an > argument to drop validating DNSSEC themselves. If they choose some DNS > provider that they trust with privacy (it might be their ISP), it seems > not a huge leap to trust them with DNS integrity as well (say, the > provider doing DNSSEC validation). Especially as today "regular users" > don't get that much benefit from validation, mostly relying on > https/tls. i hope there's some use for DNS results beyond introducing me to an X.509 authenticated web server. for example i might use DNS to validate an X.509 self-signed certificate along the lines of DANE. to me this means the goal we followed for DNSSEC (authenticate what goes into an RDNS cache) was too narrow, and the difficulties of getting stub validation working should have been avoided from the outset (in 1996, that was.) > Some of them also want a variant of DNS filtering, which > still clashes with validation a bit (if done *after* filtering). it will be necessary for filtered results to be separately (hop by hop) signed using something like SIG(0) or TSIG. (stubs ought to choose who can filter.) but this isn't a substitute for stub validation (end to end). one ought not trust a coffee shop or even one's own ISP to make a trusted introduction to one's bank (more or less quoting dan kaminsky from back in 2008 or so.) -- Paul _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
