nanog mailing list archives
RE: hat tip to .gov hostmasters
From: "Keith Medcalf" <kmedcalf () dessus com>
Date: Mon, 22 Sep 2008 11:11:40 -0400
Correct, you need a validating, security-aware stub resolver, or the ISP needs to validate the records for you.
That would defeat the entire purpose of using DNSSEC. In order for DNSSEC to actually provide any improvement in security whatsoever, the ROOT ZONE (.) needs to be signed, and every delegation up the chain needs to be signed. And EVERY resolver (whether recursive or local on host) needs to understand and enforce DNSSEC. If even one delegation is unsigned or even one resolver does not enforce DNSSEC, then, from an actual security perspective, you will be far worse off than you are now. Until such time as EVERY SINGLE DOMAIN including the root is signed and every single DNS Server and resolver (including the local host resolvers) understand and enforce DNSSEC you should realize that DNSSEC does nothing for you whatsoever except give the uneducated a false sense of "security". It is likely that IPv48 will be deployed long before DNSSEC is implemented.
Current thread:
- Re: hat tip to .gov hostmasters, (continued)
- Re: hat tip to .gov hostmasters Jason Frisvold (Sep 22)
- Re: hat tip to .gov hostmasters Florian Weimer (Sep 22)
- Re: hat tip to .gov hostmasters Colin Alston (Sep 22)
- Re: hat tip to .gov hostmasters Florian Weimer (Sep 22)
- RE: hat tip to .gov hostmasters marcus.sachs (Sep 22)
- Re: hat tip to .gov hostmasters Florian Weimer (Sep 22)
- Re: hat tip to .gov hostmasters bmanning (Sep 22)
- Re: hat tip to .gov hostmasters Edward Lewis (Sep 22)
- Re: hat tip to .gov hostmasters bmanning (Sep 22)
- Re: hat tip to .gov hostmasters Florian Weimer (Sep 22)
- Re: hat tip to .gov hostmasters Mark Andrews (Sep 22)
- Re: hat tip to .gov hostmasters Jason Frisvold (Sep 22)
- RE: hat tip to .gov hostmasters Keith Medcalf (Sep 22)
- Re: hat tip to .gov hostmasters Florian Weimer (Sep 22)
- RE: hat tip to .gov hostmasters Keith Medcalf (Sep 22)
- Re: hat tip to .gov hostmasters Scott Francis (Sep 22)
- RE: hat tip to .gov hostmasters Keith Medcalf (Sep 22)
- Re: hat tip to .gov hostmasters bmanning (Sep 22)
- Re: hat tip to .gov hostmasters bmanning (Sep 22)
- Re: hat tip to .gov hostmasters bmanning (Sep 22)
- Re: hat tip to .gov hostmasters David Conrad (Sep 22)
- Re: hat tip to .gov hostmasters David Conrad (Sep 22)