On Thu, 13 Oct 2011, Tomas Mraz wrote: >> >>> And if this malicious DNS administrator controls the caching >>> nameserver you're using for DNS queries, he can present you ANY data >>> even 'valid' fake DNSSEC data. >> >> This is not generally true. Resolver libraries can (and should, IMHO) >> verify DNSSEC themselves. Otherwise DNSSEC is somewhat pointless, >> because it is precisely when you are stuck behind an untrusted Wifi >> gateway that you need DNSSEC the most. > Yes, they can and should. But they don't. We're testing ftp://ftp.xelerance.com/dnssec-trigger/ and I hope it can get integrated into Fedora. It means running dnssec aware resolvers on the endnode, with as much use as possible od dhcp obtained dns server caches. Paul -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel
