Re: Securing DNS Re: IAB statement on the RPKI.

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



In message <alpine.LFD.1.10.1002181937210.25953@xxxxxxxxxxxxxxxxxxxx>, Paul Wouters writes:
> On Thu, 18 Feb 2010, Phillip Hallam-Baker wrote:
> 
> > The point is not to protect the DNS. The point is to protect the
> > people. And that means that maybe you don't want your machine to
> > resolve every domain name.
> 
> That sounds very much like the tapping/crypto debate. "You may not
> secure your communications because we're using its weaknesses for your
> protection".
> 
> Not securing DNS because some people are using it for something completely
> different, namely a filtering service, is not an acceptable solution.
> 
> But besides that, services like opendns can still fetch and validate DNS,
> and then continue strip it and rewrite it for those endusers that prefer
> such a service. DNSSEC does not change that at all.

DNSSEC can even be used to secure reputation data to allow different
applications on the same box to make different decisions about
whether or not to trust the data returned from the DNS even if it
is signed using DNSSEC or not.

One could also use  EDNS options to tell the recursive resolver
whether to filter or not a particular query or to pass back a
recommendations to filter the response.  The data itself would still
be signed and verifiable.  The recommendation itself can be secured
with TSIG/SIG(0).

Mark
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka@xxxxxxx
_______________________________________________
Ietf mailing list
Ietf@xxxxxxxx
https://www.ietf.org/mailman/listinfo/ietf

[Index of Archives]     [IETF Annoucements]     [IETF]     [IP Storage]     [Yosemite News]     [Linux SCTP]     [Linux Newbies]     [Fedora Users]