On Thu, 18 Feb 2010, Phillip Hallam-Baker wrote:
The point is not to protect the DNS. The point is to protect the people. And that means that maybe you don't want your machine to resolve every domain name.
That sounds very much like the tapping/crypto debate. "You may not secure your communications because we're using its weaknesses for your protection". Not securing DNS because some people are using it for something completely different, namely a filtering service, is not an acceptable solution. But besides that, services like opendns can still fetch and validate DNS, and then continue strip it and rewrite it for those endusers that prefer such a service. DNSSEC does not change that at all. Paul _______________________________________________ Ietf mailing list Ietf@xxxxxxxx https://www.ietf.org/mailman/listinfo/ietf