[dns-operations] security-aware stub resolver
Patrik Fältström
patrik at frobbit.se
Fri May 23 10:19:31 UTC 2008
On 23 maj 2008, at 12.15, Florian Weimer wrote:
> * Patrik Fältström:
>
>> I disagree with you Florian, and agree with Paul. We need any
>> security
>> mechanism we have, specifically validation mechanisms. In the DNS
>> lookup, in the BGP peering, in the DNS zone transfer, in the
>> application that connect a client to a server, ...
>
> We need DNSSEC, but application behavior cannot depend on whether data
> from DNS has passed DNSSEC validation or not.
For me this is local policy. Like the setting regarding DN validation
of the X.509 or popup windows. I do not know what the right policy is,
but I am sure it will change over time.
> It's like some HTML features being available only if the document has
> been downloaded over HTTPS. It does not make sense.
Local policy... People in the world will never agree.
BUT, if the validation is made locally, this can at least become a
local policy.
Patrik
More information about the dns-operations
mailing list