[dns-operations] security-aware stub resolver

Patrik Fältström patrik at frobbit.se
Fri May 23 10:19:31 UTC 2008

On 23 maj 2008, at 12.15, Florian Weimer wrote:

> * Patrik Fältström:
>> I disagree with you Florian, and agree with Paul. We need any  
>> security
>> mechanism we have, specifically validation mechanisms. In the DNS
>> lookup, in the BGP peering, in the DNS zone transfer, in the
>> application that connect a client to a server, ...
> We need DNSSEC, but application behavior cannot depend on whether data
> from DNS has passed DNSSEC validation or not.

For me this is local policy. Like the setting regarding DN validation  
of the X.509 or popup windows. I do not know what the right policy is,  
but I am sure it will change over time.

> It's like some HTML features being available only if the document has
> been downloaded over HTTPS.  It does not make sense.

Local policy... People in the world will never agree.

BUT, if the validation is made locally, this can at least become a  
local policy.


More information about the dns-operations mailing list