All DNSSEC does is to enable the end point to know that there is data missing. It does not provide the end zone with any way to find the missing data, nor is there any user interaction that makes any real sense in that situation.
But the real answer to the problem is that the root zone signature is not the root of trust for my DNS, it is the root of trust for the ICANN DNS.
myDNS = icannDNS - maliciousDNS
I plan to publish my root cert for my zone at the apex of my DNS zone and establish that out-of-band as the trust anchor for every device and application in my network.
Hosts in my network will determine that a secure DNS resolver is available for the zone via the ESRV mechanism I recently proposed and establish a secure tunnel with my DNS resolver via a protocol TBS, but probably based on either the TLS handshake to establish a ticket containing all necessary server-side state or the existing (but rather old and needing much revision) TKEY mechanism and either TSIG or a cryptographic packaging mechanism TBS.
It would also be possible to adapt either DTLS or IPSEC. But neither of those is well suited to use as a security wrapper for DNS for reasons I won't go into here.
On Sun, Sep 26, 2010 at 12:26 PM, Tony Finch <dot@xxxxxxxx> wrote:
On 25 Sep 2010, at 01:16, John Levine <johnl@xxxxxxxx> wroteDNSSEC's validation model makes this basically impossible. The customer resolvers would have to know ahead of time which names will be overridden by their ISP and so may be validated by the extra trust anchor.
>
> Plan C: Sophisticated ISPs might configure their own DNSSEC key into
> customer resolvers, and sign replacement records with that.
Plan D: ISPs that want to block the DNS for evil domains just return a server failure response for the appropriate queries.
See also Paul Vixie's RPZ proposal.
Tony.
--
f.anthony.n.finch <dot@xxxxxxxx> http://dotat.at/
_______________________________________________
Ietf mailing list
Ietf@xxxxxxxx
https://www.ietf.org/mailman/listinfo/ietf
--
Website: http://hallambaker.com/
_______________________________________________ Ietf mailing list Ietf@xxxxxxxx https://www.ietf.org/mailman/listinfo/ietf