> DNSsec is very important for other reasons, such as the current > pharming attacks. The risks have been known in the security community > since at least 1991, and publicly since at least 1995. The long- > predicted attacks are now happening. We really need to get DNSsec > deployed, independent of mDNS or LLMNR. Given that there is now some > forward progress on DNSsec, it's not at all unreasonable for either or > both of those specs to rely on it to solve some of their particular > security risks. Couldn't agree more. But if I'm not mistaken, the current DNSSEC specifications do not mandate that DNS stub resolvers be DNSSEC-aware validating, which is what would be required for use in a peer-to-peer name resolution protocol. There is also the DNSEXT WG edict that mDNS/LLMNR not share a cache with DNS, which makes it difficult for mDNS/LLMNR to utilize trust anchors or acquired keys present in the DNS cache. _______________________________________________ Ietf@xxxxxxxx https://www1.ietf.org/mailman/listinfo/ietf