nanog mailing list archives

Re: What DNS Is Not

From: Paul Vixie <vixie () isc org>
Date: Thu, 26 Nov 2009 16:37:39 +0000

From: David Conrad <drc () virtualized org>
Date: Thu, 26 Nov 2009 07:42:15 -0800

As you know, as long as people rely on their ISPs for resolution
services, DNSSEC isn't going to help.  Where things get really offensive
if when the ISPs _require_ customers (through port 53 blocking, T-Mobile
Hotspot, I'm looking at you) to use the ISP's resolution services.


the endgame for provider-in-the-middle attacks is enduser validators, which
is unfortunate since this use case is not well supported by current DNSSEC
and so there's some more protocol work in our future ("noooooooooooo!!").

i also expect to see DNS carried via HTTPS, which providers tend to leave
alone since they don't want to hear from the lawyers at 1-800-flowers.com.
(so, get ready for https://ns.vix.com/dns/query/www.vix.com/in/a&rd=1&ad=1).

Current thread:

Re: What DNS Is Not, (continued)
- - - Re: What DNS Is Not Valdis . Kletnieks (Nov 26)
    - Re: What DNS Is Not Dobbins, Roland (Nov 26)
    - Re: What DNS Is Not Eric Brunner-Williams (Nov 26)
    - Re: What DNS Is Not David Conrad (Nov 26)
    - Re: What DNS Is Not bmanning (Nov 25)
    - Re: What DNS Is Not Jorge Amodio (Nov 25)
    - Re: What DNS Is Not Mark Andrews (Nov 25)
    - Re: What DNS Is Not Michael Peddemors (Nov 25)
    - Re: What DNS Is Not Paul Vixie (Nov 25)
    - Re: What DNS Is Not David Conrad (Nov 26)
    - Re: What DNS Is Not Paul Vixie (Nov 26)
    - Re: What DNS Is Not David Conrad (Nov 26)
    - Re: What DNS Is Not Paul Vixie (Nov 26)
    - Re: What DNS Is Not Florian Weimer (Nov 26)
    - Re: What DNS Is Not James Hess (Nov 26)
    - Re: What DNS Is Not Valdis . Kletnieks (Nov 27)
    - Re: What DNS Is Not Eduardo A. Suárez (Nov 19)
  - Re: What DNS Is Not Scott Howard (Nov 19)
- Re: What DNS Is Not Scott Weeks (Nov 19)