On Sun, 18 Jan 2015, Neal Becker wrote:
The articles author has responded here: http://sockpuppet.org/stuff/dnssec-qa.html This quote caught my attention: DNSSEC deployment guides go so far as to recommend against deployment of DNSSEC validation on end-systems. So significant is the inclination against extending
Which is nonsense. DNSSEC is going to the end nodes (stubs). You can't outsource security anymore, especially with the Crypto Wars re-ignited.
DNSSEC all the way to desktops that an additional protocol extension (TSIG) was designed in part to provide that capability.
TSIG is for authenticating for write access to a zone, for example to send an NSUPDATE for a host name. It is not a method for securing the "last mile". In general, you cannot trust DHCP or the DNS supplied for by DHCP. In a way that's fine because it cannot forge DNSSEC signed data. It can at most withold it and even that will be detected by the stub using it as a forwarded (and it will stop using the DNS server and try to work around it - we would do that via dnssec-trigger for now) This is exactly why DNSSEC will have to go onto the stub resolvers. Paul -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
