Re: IESG feedback on dnsext-ad-is-secure

[Ted Lemon <Ted.Lemon@nominum.com>]

[ post by non-subscriber.  with the massive amount of spam, it is easy to
 miss and therefore delete mis-posts.  so fix subscription addresses! ]

I must confess to being a bit surprised that anybody would even consider 
accepting an AD-is-secure bit from a name server with which their only 
relationship is that they saw its IP address in a DHCP packet.   Of course 
not.   You're going to run a local caching name server on your host that 
you know is configured the right way because you (or Microsoft, or Apple) 
configured it.

If your objection is that there's no way in the protocol to ensure that 
this has been done, I think it's not a good real-world objection.  In the 
real world, there are two classes of DNS users - those who consider it a 
black box, and those who care enough to mess with it.   Neither of these is 
a customer for a way of representing the secure resolver's security policy 
in the wire protocol.   The first group doesn't care - they want their 
vendor or sysadmin to set it up right, and if it's not set up right, they'
ll find out when they're defrauded.   The second group is going to 
administratively verify every part of their resolver system.   Where is the 
third group that you're talking about that needs a  verification system 
that operates in the wire protocol?




--
to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/namedroppers/>