[dns-operations] security-aware stub resolver

Florian Weimer fw at deneb.enyo.de
Fri May 23 10:15:16 UTC 2008


* Patrik Fältström:

> I disagree with you Florian, and agree with Paul. We need any security
> mechanism we have, specifically validation mechanisms. In the DNS
> lookup, in the BGP peering, in the DNS zone transfer, in the
> application that connect a client to a server, ...

We need DNSSEC, but application behavior cannot depend on whether data
from DNS has passed DNSSEC validation or not.

It's like some HTML features being available only if the document has
been downloaded over HTTPS.  It does not make sense.



More information about the dns-operations mailing list