-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi John, On 09/26/2010 04:34 AM, John R. Levine wrote: >>> But we have real situtations where the opposite is true, >>> quite possibly more often than the other way around. > > Not really. There turn out to be a significant number of domains, in > the hundreds of thousands at least, that are purely evil. Some host So, if DNSSEC is enabled with an end-host validator and the ISP cache returns a different record for such a domain, the DNSSEC validator will mark it as bogus and the user gets a serverfailure response. The domain cannot be accessed. This is exactly right. DNSSEC provides integrity checks, it does not synthesize the original data out of thin air. Thus, domains can be blocked. > > As I said in a previous message, I am not a big fan of rewriting > NXDOMAIN, and I was on one of ICANN's advisory committees and helped Showing an advert then, does not work. Of course, showing an advert on someone elses domain name is not particularly nice. So, an ISP can provide a DNSSEC-enabled cache (that can validate as well), and can block malware, and end-users can use that cache, and run their own validator to secure the path to the ISP cache. So, an end-user can run a validator that is still a 'stub' that connects to the ISP cache. This is much more efficient too as the ISP cache has all the data (and DNSSEC signatures) in its cache. A remaining stumbling block (well, once the ISP runs a DNSSEC cache), is the cablemodem-thingy, but it turns out these can (very often) be circumvented by providing the validating-stub on the end-users machine with the direct IP-address(es) of the ISP cache. Best regards, Wouter -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAkygTQYACgkQkDLqNwOhpPgbdACfbCRxW3Rii+MlFOUVeCl+HVRM CJwAoLHbvFWyMSH+rf0wjuCcNR2jnz88 =JuT/ -----END PGP SIGNATURE----- _______________________________________________ Ietf mailing list Ietf@xxxxxxxx https://www.ietf.org/mailman/listinfo/ietf