The pre-DNSSEC application architecture for DNS is now obsolete.
We have at this point only developed a technical infrastructure for securing DNS responses. Developing the application architecture to leverage that opportunity still lies ahead of us.
But even in the new world of DNSSEC with end-to-end authentication, the resolver plays a role that requires trust and thus should be chosen and trusted.
On Wed, Oct 20, 2010 at 9:55 PM, Mark Andrews <marka@xxxxxxx> wrote:
In message <201010210114.o9L1E0MH004556@xxxxxxxxxxxxxxxxxxx>, Martin Rex writes
:
> Phillip Hallam-Baker wrote:The DNS is not just name to address translation.
> >
> > The weakest DNS architectural idea is the notion that DNS resolvers are
> > untrusted. This is simply wrong. Every DNS resolver performs a trusted role
> .
>
> Nope, just the opposite. Name to address translation is meant to
> be an extremely lightweight and fast service.
And how do you know you should trust the host key the remote machine presents?
> Hostnames are NOT supposed to be trusted in any way and it a serious
> misconception to think they're trusted.
>
> If you want to authenticate your peer, use something like an SSH host key.
> The routing of datagrams on the internet is also untrusted, so any notion
> that a service that translates hostnames into IP-Addresses should be
> trusted is fatally flawed and is totally ignorant about the fundamental
> architecture of the internet.
>
> -Martin
--> _______________________________________________
> Ietf mailing list
> Ietf@xxxxxxxx
> https://www.ietf.org/mailman/listinfo/ietf
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka@xxxxxxx
--
Website: http://hallambaker.com/
_______________________________________________ Ietf mailing list Ietf@xxxxxxxx https://www.ietf.org/mailman/listinfo/ietf