On Feb 25, 2010, at 8:41 AM, Paul Wouters wrote: > On Wed, 24 Feb 2010, Phillip Hallam-Baker wrote: >> I would like to see us create an assumption that a given machine will >> only use recursive resolution services from a specific trusted source. > > Trust no one. You have to trust someone. Really. > More and more devices will do their own DNSSE validation, > and just use caches to get the data. This must means those devices trust your their validator (and the operating system it is running on). Which is fine (and, in fact, what I'd argue is the right answer), but it means you have to figure out how to securely obtain and install the root trust anchor (or the TLD trust anchors or the DLV trust anchor). >> [Oh we are so not close to being done with deployment here. If turning >> on DNSSEC means the typical Web surfer cannot get their WiFi access at >> Panera without reconfiguring their machine then DNSSEC is stone cold >> dead.] You have to do this in many cases with non-DNSSEC DNS already. T-Mobile Hot Spot service, for example, requires you to use their DNS servers so you can't run your own validator. It really is quite annoying. Regards, -drc _______________________________________________ Ietf mailing list Ietf@xxxxxxxx https://www.ietf.org/mailman/listinfo/ietf