On Sun, 2014-04-13 at 16:29 +0930, William Brown wrote: > > That depends. You need caching for DNSSEC validation, so really, > every > > device needs a cache, unless you want to outsource your DNSSEC > > validation over an insecure transport (LAN). That seems like a very > bad > > idea. > > If your lan is insecure, you have other issues. That isn't the problem > you are trying to solve. > I keep seeing this repeated by you and Harald. I am truly in awe that your networks are *secure*, however that is not the common case, networks are routinely breached by zombified machines or are insecure by default (wifi, or very large networks where anyone can plug in). Basically if any of the machines on the network can be compromised the network is not secure anymore. Finally you can't certainly trust network as large as common ISPs. All these networks need to be treated as insecure by default. You cannot trust a DNS server not on your machine to do DNSSEC resolution for you or, as soon as you want to start using DANE, TLSA, etc.. you are a sitting duck, and people will be able to MITM you extremely easily. The default needs to cater for these issues. But of course it is just a default, on your network you'll be able to change the resolvers however you want. The only thing I agree on is that the default MUST use the forwarders provided by the local DHCP unless the user explicitly configured otherwise. Simo. -- Simo Sorce * Red Hat, Inc * New York -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
