Re: DS and Opt-in - a proposal

[bert hubert <ahu@ds9a.nl>]

On Mon, Dec 31, 2001 at 10:23:05AM -0500, Loomis, Rip wrote:

> Both Netscape and IE include some DNS-related internal
> capabilities--but I believe (as do others) that it's 
> just a cache for data received through the normal system
> gethostbyname() [or equivalent function].  In other words,

Piet Barber informed me that IE will query *all* configured resolvers
simultaneously and use the first answer it receives. I hope this is not the
default Windows behaviour!

> four. That's great...but at that point, we need a way for
> the browser to indicate that there are different degrees of
> trust in the provided information--which sounds to me as
> though DNSSEC *won't* just be transparent to the client.

Exactly. This is what I mean. And instead of theorizing from our comfortable
speccing desks, I think we should just ask the people designing browsers. I
can contact the Mozilla people if needed, if they aren't reading this list
yet.

> Unless we find a way to ease the transition while still providing
> a useful security enhancement, IMHO we're going to have trouble
> getting signed zones into the "commonly used" category.

We can try to push DNSSEC but it would be far better to create a DNSSEC
'pull' from the browser community. Same probably holds for MTAs.

Regards,

bert 

-- 
http://www.PowerDNS.com          Versatile DNS Software & Services
http://www.tk                              the dot in .tk
Netherlabs BV / Rent-a-Nerd.nl           - Nerd Available -
Linux Advanced Routing & Traffic Control: http://ds9a.nl/lartc


to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.