IETF Logo Mail Archive

Re: [dnsext] caches, validating resolvers, CD and DO

Paul Vixie <vixie@isc.org> Wed, 30 March 2011 07:03 UTC

Return-Path: <vixie@isc.org>
X-Original-To: dnsext@core3.amsl.com
Delivered-To: dnsext@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 6AF5E3A6B18 for <dnsext@core3.amsl.com>; Wed, 30 Mar 2011 00:03:56 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.49
X-Spam-Level:
X-Spam-Status: No, score=-2.49 tagged_above=-999 required=5 tests=[AWL=0.109, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hlxrOGoqIwLg for <dnsext@core3.amsl.com>; Wed, 30 Mar 2011 00:03:55 -0700 (PDT)
Received: from nsa.vix.com (unknown [IPv6:2001:4f8:3:bb:230:48ff:fe5a:2f38]) by core3.amsl.com (Postfix) with ESMTP id 704D23A6B0F for <dnsext@ietf.org>; Wed, 30 Mar 2011 00:03:55 -0700 (PDT)
Received: from nsa.vix.com (localhost [127.0.0.1]) by nsa.vix.com (Postfix) with ESMTP id 4F947A1019 for <dnsext@ietf.org>; Wed, 30 Mar 2011 07:05:33 +0000 (UTC) (envelope-from vixie@isc.org)
From: Paul Vixie <vixie@isc.org>
To: dnsext@ietf.org
In-Reply-To: Your message of "Wed, 30 Mar 2011 07:42:32 GMT." <0CAE569785C163CFE87B957E@nimrod.local>
References: <20110330062335.BA8C9DAC3C4@drugs.dv.isc.org> <0CAE569785C163CFE87B957E@nimrod.local>
X-Mailer: MH-E 8.2; nmh 1.3; XEmacs 21.4 (patch 22)
Date: Wed, 30 Mar 2011 07:05:33 +0000
Message-ID: <46410.1301468733@nsa.vix.com>
Subject: Re: [dnsext] caches, validating resolvers, CD and DO
X-BeenThere: dnsext@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: DNS Extensions working group discussion list <dnsext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsext>
List-Post: <mailto:dnsext@ietf.org>
List-Help: <mailto:dnsext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 30 Mar 2011 07:03:56 -0000

> Date: Wed, 30 Mar 2011 07:42:32 +0000
> From: Alex Bligh <alex@alex.org.uk>
> ...
> Why "should"? Effectively the validating resolver is handing off
> DNSSEC validation to the upstream server here isn't it? ...

i loved it when dan kaminsky said, i'm not going to trust the starbucks
resolver to introduce me to my bank.  so, to the above, no.  a validating
resolver has a trust anchor (probably the root key and RFC5011 support)
and is going to be setting CD and doing its own crypto.

v2.23.0 | Report a Bug | By Email