actually, it was the right questions... and the answers all distill down to your reply. "security" and trust are in the eyes/validator of the beholder. Sam Weiler borrowed the term "local policy" - which trumps any middleman. Steve B. suggests VPNs (or their functioal eqivalant) between the authoritative or trusted source and the end-system validator - where in this context, the validator/resolver is w/in a couple usec of the application; e.g. in the same box. you can do it yourself or you can outsource it to someone else. end of the day, its the end-system operators choice. the tools for crisply defining the constrainsts of local policy are still very crude/fuzzy/undefined. --bill On Fri, Sep 24, 2010 at 10:16:05PM -0400, Phillip Hallam-Baker wrote: > That is not the right question. > > The question should be, who chooses for me? > > My answer to the question does not have to be the same as other people's. > Some people will want the full ICANN registry with every scammy malware site > and every DNS name registered five minutes ago. Others will prefer to have > only the ones proven safe. > > > If I was running a power station in the US, I would probably be quite happy > with a very short list indeed. > > Gen Alexander is proposing a separate network for critical infrastructure. I > think that an edited DNS could play a very important role. > > > On Fri, Sep 24, 2010 at 9:10 PM, bill manning <bmanning@xxxxxxx> wrote: > > > > > On 24September2010Friday, at 17:16, John Levine wrote: > > > > >> Plan A: few consumers will use DNSSEC between their PCs and the ISP's > > >> resolver, so they won't notice. > > >> > > >> Plan B: consumers will observe that malicious impersonation of far away > > >> DNS servers is rare and exotic, but malware spam arrives hourly, so they > > >> will make a rational tradeoff, take their ISP's advice, and turn off > > >> DNSSEC. > > > > > > Something else occurs to me: > > > > > > Plan C: Sophisticated ISPs might configure their own DNSSEC key into > > > customer resolvers, and sign replacement records with that. > > > > > > The threat model for DNSSEC has always been, approximately, that the > > > authoritative server at the far end is friendly, and the middleboxes > > > are hostile. But we have real situtations where the opposite is true, > > > quite possibly more often than the other way around. > > > > presuming your statement about an inversion of the stated trust model is > > correct, > > can we dereference "friendly" and "hostile" to whom? Who makes that > > assessment > > and who/what defines the tools to implement a trust policy? > > > > > > --bill > > > > > > > > > > If we want people deploying DNSSEC widely, we need to make sure it > > > handles the actual threats they face. > > > > > > R's, > > > John > > > > > > PS: If I plug my random Windows PC or Mac into a cable modem, and I tell > > > it to use DNSSEC, where does it get the top level validation keys? > > > _______________________________________________ > > > Ietf mailing list > > > Ietf@xxxxxxxx > > > https://www.ietf.org/mailman/listinfo/ietf > > > > _______________________________________________ > > Ietf mailing list > > Ietf@xxxxxxxx > > https://www.ietf.org/mailman/listinfo/ietf > > > > > > -- > Website: http://hallambaker.com/ _______________________________________________ Ietf mailing list Ietf@xxxxxxxx https://www.ietf.org/mailman/listinfo/ietf