The question should be, who chooses for me?
My answer to the question does not have to be the same as other people's. Some people will want the full ICANN registry with every scammy malware site and every DNS name registered five minutes ago. Others will prefer to have only the ones proven safe.
If I was running a power station in the US, I would probably be quite happy with a very short list indeed.
Gen Alexander is proposing a separate network for critical infrastructure. I think that an edited DNS could play a very important role.
On Fri, Sep 24, 2010 at 9:10 PM, bill manning <bmanning@xxxxxxx> wrote:
presuming your statement about an inversion of the stated trust model is correct,
On 24September2010Friday, at 17:16, John Levine wrote:
>> Plan A: few consumers will use DNSSEC between their PCs and the ISP's
>> resolver, so they won't notice.
>>
>> Plan B: consumers will observe that malicious impersonation of far away
>> DNS servers is rare and exotic, but malware spam arrives hourly, so they
>> will make a rational tradeoff, take their ISP's advice, and turn off
>> DNSSEC.
>
> Something else occurs to me:
>
> Plan C: Sophisticated ISPs might configure their own DNSSEC key into
> customer resolvers, and sign replacement records with that.
>
> The threat model for DNSSEC has always been, approximately, that the
> authoritative server at the far end is friendly, and the middleboxes
> are hostile. But we have real situtations where the opposite is true,
> quite possibly more often than the other way around.
can we dereference "friendly" and "hostile" to whom? Who makes that assessment
and who/what defines the tools to implement a trust policy?
--bill
>
> If we want people deploying DNSSEC widely, we need to make sure it
> handles the actual threats they face.
>
> R's,
> John
>
> PS: If I plug my random Windows PC or Mac into a cable modem, and I tell
> it to use DNSSEC, where does it get the top level validation keys?
> _______________________________________________
> Ietf mailing list
> Ietf@xxxxxxxx
> https://www.ietf.org/mailman/listinfo/ietf
_______________________________________________
Ietf mailing list
Ietf@xxxxxxxx
https://www.ietf.org/mailman/listinfo/ietf
--
Website: http://hallambaker.com/
_______________________________________________ Ietf mailing list Ietf@xxxxxxxx https://www.ietf.org/mailman/listinfo/ietf