In message <alpine.LFD.1.10.1002181937210.25953@xxxxxxxxxxxxxxxxxxxx>, Paul Wouters writes: > On Thu, 18 Feb 2010, Phillip Hallam-Baker wrote: > > > The point is not to protect the DNS. The point is to protect the > > people. And that means that maybe you don't want your machine to > > resolve every domain name. > > That sounds very much like the tapping/crypto debate. "You may not > secure your communications because we're using its weaknesses for your > protection". > > Not securing DNS because some people are using it for something completely > different, namely a filtering service, is not an acceptable solution. > > But besides that, services like opendns can still fetch and validate DNS, > and then continue strip it and rewrite it for those endusers that prefer > such a service. DNSSEC does not change that at all. DNSSEC can even be used to secure reputation data to allow different applications on the same box to make different decisions about whether or not to trust the data returned from the DNS even if it is signed using DNSSEC or not. One could also use EDNS options to tell the recursive resolver whether to filter or not a particular query or to pass back a recommendations to filter the response. The data itself would still be signed and verifiable. The recommendation itself can be secured with TSIG/SIG(0). Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka@xxxxxxx _______________________________________________ Ietf mailing list Ietf@xxxxxxxx https://www.ietf.org/mailman/listinfo/ietf