nanog mailing list archives
Re: What DNS Is Not
From: David Conrad <drc () virtualized org>
Date: Thu, 26 Nov 2009 13:25:39 -0800
On Nov 26, 2009, at 8:37 AM, Paul Vixie wrote:
From: David Conrad <drc () virtualized org> Date: Thu, 26 Nov 2009 07:42:15 -0800 As you know, as long as people rely on their ISPs for resolution services, DNSSEC isn't going to help. Where things get really offensive if when the ISPs _require_ customers (through port 53 blocking, T-Mobile Hotspot, I'm looking at you) to use the ISP's resolution services.the endgame for provider-in-the-middle attacks is enduser validators, which is unfortunate since this use case is not well supported by current DNSSEC and so there's some more protocol work in our future ("noooooooooooo!!").
Why not simply run a validating resolver locally?
i also expect to see DNS carried via HTTPS, which providers tend to leave alone since they don't want to hear from the lawyers at 1-800-flowers.com. (so, get ready for https://ns.vix.com/dns/query/www.vix.com/in/a&rd=1&ad=1).
To quote you, "noooooooooooo!!"
At some point, we may as well bite the bullet and redefine http{,s} as IPv7.
Regards,
-drc
Current thread:
- Re: What DNS Is Not, (continued)
- Re: What DNS Is Not Dobbins, Roland (Nov 26)
- Re: What DNS Is Not Eric Brunner-Williams (Nov 26)
- Re: What DNS Is Not David Conrad (Nov 26)
- Re: What DNS Is Not bmanning (Nov 25)
- Re: What DNS Is Not Jorge Amodio (Nov 25)
- Re: What DNS Is Not Mark Andrews (Nov 25)
- Re: What DNS Is Not Michael Peddemors (Nov 25)
- Re: What DNS Is Not Paul Vixie (Nov 25)
- Re: What DNS Is Not David Conrad (Nov 26)
- Re: What DNS Is Not Paul Vixie (Nov 26)
- Re: What DNS Is Not David Conrad (Nov 26)
- Re: What DNS Is Not Paul Vixie (Nov 26)
- Re: What DNS Is Not Florian Weimer (Nov 26)
- Re: What DNS Is Not James Hess (Nov 26)
- Re: What DNS Is Not Valdis . Kletnieks (Nov 27)
- Re: What DNS Is Not Eduardo A. Suárez (Nov 19)