On Wed, Apr 23, 2025 at 11:19:26AM +0530, tirumal reddy <kond...@gmail.com> wrote a message of 450 lines which said:
> > * In Section 3, "However, this approach is ineffective when DNSSEC > > is deployed given that DNSSEC ensures the integrity and > > authenticity of DNS responses, preventing forged DNS responses > > from being accepted." There are assumptions about DNSSEC > > deployment baked into this statement. In practice, it has little > > preventative force. > > > > The existing text in Section 3 is intended to describe the behavior > when DNSSEC is deployed, and is agnostic to the actual deployment > levels of DNSSEC globally. It makes no claim about how commonly > DNSSEC is used in practice. I suspect that Mark was not referring to the size of the DNS deployment but to the fact that there are several deployment strategies possible. For instance, DNSSEC validation can be done on a remote resolver (ISP, corporate network) but also on a resolver local to the machine. In the first case, forged DNS responses won't be a problem for DNSSEC is the forgery is done by the remote resolver. _______________________________________________ DNSOP mailing list -- dnsop@ietf.org To unsubscribe send an email to dnsop-le...@ietf.org
