On Fri, 28 Nov 2008, Andrew Sullivan wrote:
That said, I don't want to make light of the end-point problem, since TSIG between a stub and a recursor isn't a trivial problem today either. Moreover, since end nodes in many environments get their recursor's address(es) via DHCP, and since that path is pretty easy to compromise, the whole edifice rests on a sandy foundation. Nevertheless, I just want to be clear that having every end node in the world doing RFC 4035-and-friends validation is not the only path to useful DNSSEC.
It's worse. Before you can start validating on your own, or use some trusted remote TSIG accessable resolver, you are likely to need to accept some spoofs to get past the hotspot authentication. Then you need prevent your browser from caching them too much (they do fastflux protection), and your own potential resolver needs to dump the answers once it has a real IP link to the real world. I don't know of any method to both allow hotspot access and fully use DNSSEC. Paul _______________________________________________ Ietf@xxxxxxxx https://www.ietf.org/mailman/listinfo/ietf