[dns-operations] security-aware stub resolver

Joe Abley jabley at ca.afilias.info
Thu May 22 18:58:43 UTC 2008

On 22 May 2008, at 14:46, Edward Lewis wrote:

> A stub should not need to get the DNSSEC records.

Right. That's the kind of frail, boney assertion I was looking for  
meat on.

What I am worrying about quietly in the background when I see  
statements like this, incidentally, is this kind of thing:

1. Signature expires. Zone administrator doesn't notice.

2. Customers of ISP A, who use by default a security-aware resolver  
stop being able to resolve names in that zone.

3. Customers of ISP B, an ISP who has no interest in DNSSEC, continue  
to be able to resolve names in that zone.

4. ISP A's helpdesk phones start to ring.

5. ISP A is unable either to diagnose the problem, or to contact the  
zone administrator.

6. Customers of ISP A are incredulous that the idea that this might be  
someone else's problem, since their neighbours who use ISP B are still  

7. ISP A turns off validation.

If customers of ISP A see messages of the form "your advanced ISP who  
has wondrous capabilities has detected a possible problem with this  
web site, which because we are magnificent we are alerting you to the  
possible hazards of" then their reaction might be quite different. But  
that's only possible if applications have insight into the security,  
which I think implies a security-aware stub resolver (and an API from  
that to applications).


More information about the dns-operations mailing list