[dns-operations] security-aware stub resolver
Joe Abley
jabley at ca.afilias.info
Thu May 22 18:58:43 UTC 2008
On 22 May 2008, at 14:46, Edward Lewis wrote:
> A stub should not need to get the DNSSEC records.
Right. That's the kind of frail, boney assertion I was looking for
meat on.
What I am worrying about quietly in the background when I see
statements like this, incidentally, is this kind of thing:
1. Signature expires. Zone administrator doesn't notice.
2. Customers of ISP A, who use by default a security-aware resolver
stop being able to resolve names in that zone.
3. Customers of ISP B, an ISP who has no interest in DNSSEC, continue
to be able to resolve names in that zone.
4. ISP A's helpdesk phones start to ring.
5. ISP A is unable either to diagnose the problem, or to contact the
zone administrator.
6. Customers of ISP A are incredulous that the idea that this might be
someone else's problem, since their neighbours who use ISP B are still
working.
7. ISP A turns off validation.
If customers of ISP A see messages of the form "your advanced ISP who
has wondrous capabilities has detected a possible problem with this
web site, which because we are magnificent we are alerting you to the
possible hazards of" then their reaction might be quite different. But
that's only possible if applications have insight into the security,
which I think implies a security-aware stub resolver (and an API from
that to applications).
Joe
More information about the dns-operations
mailing list