In message <alpine.LFD.1.10.0811281438590.7186@xxxxxxxxxxxxxxxxxxxx>, Paul Wout ers writes: > On Fri, 28 Nov 2008, Andrew Sullivan wrote: > > > That said, I don't want to make light of the end-point problem, since > > TSIG between a stub and a recursor isn't a trivial problem today > > either. Moreover, since end nodes in many environments get their > > recursor's address(es) via DHCP, and since that path is pretty easy to > > compromise, the whole edifice rests on a sandy foundation. > > Nevertheless, I just want to be clear that having every end node in > > the world doing RFC 4035-and-friends validation is not the only path > > to useful DNSSEC. > > It's worse. Before you can start validating on your own, or use some > trusted remote TSIG accessable resolver, you are likely to need > to accept some spoofs to get past the hotspot authentication. Which is something the IETF should be providing / promoting a standard alternative for. At present normal protocol operations are being hijacked to do this. Browsers could then have a "HOTSPOT" button which just looked up this information, for example. Mark > Then you need prevent your browser from caching them too much (they > do fastflux protection), and your own potential resolver needs to > dump the answers once it has a real IP link to the real world. > > I don't know of any method to both allow hotspot access and fully > use DNSSEC. > > Paul > _______________________________________________ > Ietf mailing list > Ietf@xxxxxxxx > https://www.ietf.org/mailman/listinfo/ietf -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: Mark_Andrews@xxxxxxx _______________________________________________ Ietf@xxxxxxxx https://www.ietf.org/mailman/listinfo/ietf