>Plan A: few consumers will use DNSSEC between their PCs and the ISP's >resolver, so they won't notice. > >Plan B: consumers will observe that malicious impersonation of far away >DNS servers is rare and exotic, but malware spam arrives hourly, so they >will make a rational tradeoff, take their ISP's advice, and turn off >DNSSEC. Something else occurs to me: Plan C: Sophisticated ISPs might configure their own DNSSEC key into customer resolvers, and sign replacement records with that. The threat model for DNSSEC has always been, approximately, that the authoritative server at the far end is friendly, and the middleboxes are hostile. But we have real situtations where the opposite is true, quite possibly more often than the other way around. If we want people deploying DNSSEC widely, we need to make sure it handles the actual threats they face. R's, John PS: If I plug my random Windows PC or Mac into a cable modem, and I tell it to use DNSSEC, where does it get the top level validation keys? _______________________________________________ Ietf mailing list Ietf@xxxxxxxx https://www.ietf.org/mailman/listinfo/ietf