[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: DS and Opt-in - a proposal

To: namedroppers@ops.ietf.org
Subject: Re: DS and Opt-in - a proposal
From: Paul Vixie <paul@vix.com>
Date: Mon, 31 Dec 2001 09:06:31 -0800
In-reply-to: Message from bert hubert <ahu@ds9a.nl> of "Mon, 31 Dec 2001 11:28:14 +0100."<20011231112814.B14853@outpost.ds9a.nl>

> > <AOL>ME TOO!</AOL>
> 
> Aha. So we don't care about the implementors and clients of DNSSEC because
> we've all figured it out on our own. That is not a sound engineering
> principle. Oh well. Good luck in your ivory tower.

to paraphrase mr. bush, "that ain't what was said."

dnssec does not require any api changes or client changes in order to make
a large number of dns lookups more secure.  if zone servers and full resolvers
("authoritative and recursive nameservers") implement it, and if stub 
resolvers ("clients") use TSIG or some other secure last-mile channel (doors?
IPSec?) to reach their local recursive nameservers, then "security" will go
"up."

of course, a dnssec-aware api that would allow for dnssec-aware clients would
also help explore ways to make things more secure, and we should do it.

but we do not have to have a new api or change any clients before DNSSEC can
be at least initially effective.

so, welcome to my ivory tower.  (you were already inside.)


to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.

References:
- Re: DS and Opt-in - a proposal
  - From: bert hubert <ahu@ds9a.nl>

Prev by Date: Re: DS and Opt-in - a proposal
Next by Date: Re: DS and Opt-in - a proposal
Previous by thread: Re: DS and Opt-in - a proposal
Next by thread: Re: DS and Opt-in - a proposal
Index(es):
- Date
- Thread