IETF Logo Mail Archive

Re: How do we get the whole world to upgrade to DNSSEC capable resolvers?

Andrew Sullivan <ajs@commandprompt.com> Fri, 25 July 2008 22:22 UTC

Return-Path: <owner-namedroppers@ops.ietf.org>
X-Original-To: ietfarch-dnsext-archive@core3.amsl.com
Delivered-To: ietfarch-dnsext-archive@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 4C9F23A6862; Fri, 25 Jul 2008 15:22:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.495
X-Spam-Level:
X-Spam-Status: No, score=-0.495 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FH_RELAY_NODNS=1.451, HELO_MISMATCH_COM=0.553, RDNS_NONE=0.1]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8EBEKU6+tOxY; Fri, 25 Jul 2008 15:22:45 -0700 (PDT)
Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id 3CBA43A67E1; Fri, 25 Jul 2008 15:22:45 -0700 (PDT)
Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from <owner-namedroppers@ops.ietf.org>) id 1KMVZP-00082d-SY for namedroppers-data@psg.com; Fri, 25 Jul 2008 22:15:27 +0000
Received: from [207.173.203.159] (helo=lists.commandprompt.com) by psg.com with esmtps (TLSv1:AES256-SHA:256) (Exim 4.69 (FreeBSD)) (envelope-from <ajs@commandprompt.com>) id 1KMVZI-00081h-BM for namedroppers@ops.ietf.org; Fri, 25 Jul 2008 22:15:26 +0000
Received: from commandprompt.com (CPE001b63afe888-CM001adea9c5a6.cpe.net.cable.rogers.com [99.236.211.160]) (authenticated bits=0) by lists.commandprompt.com (8.13.8/8.13.8) with ESMTP id m6PMCW5h030393 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for <namedroppers@ops.ietf.org>; Fri, 25 Jul 2008 15:12:39 -0700
Date: Fri, 25 Jul 2008 18:10:02 -0400
From: Andrew Sullivan <ajs@commandprompt.com>
To: namedroppers@ops.ietf.org
Subject: Re: How do we get the whole world to upgrade to DNSSEC capable resolvers?
Message-ID: <20080725221002.GK29775@commandprompt.com>
References: <2FFE6519-7E9C-4DE8-AF69-697A4D875011@nominum.com> <20080723191636.GB32507@outpost.ds9a.nl> <8A91CF57-0CBD-4CF2-BF59-C7D59CB4B7B9@virtualized.org> <20080724060743.GA7420@outpost.ds9a.nl> <48886C4D.4020500@ca.afilias.info> <63C0FFE7-17E6-4ECE-9A12-0537FE2E3F4B@ca.afilias.info> <4888FED2.6060204@NLnetLabs.nl> <E7388E94-D031-4059-91F9-1596A254E21C@ca.afilias.info> <20080725193101.GB8193@outpost.ds9a.nl> <BEADC795-3C76-407A-A979-2B0AAACE0328@ca.afilias.info>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <BEADC795-3C76-407A-A979-2B0AAACE0328@ca.afilias.info>
User-Agent: Mutt/1.5.17 (2007-11-01)
X-Greylist: Sender succeeded SMTP AUTH, not delayed by milter-greylist-4.0 (lists.commandprompt.com [207.173.203.159]); Fri, 25 Jul 2008 15:12:39 -0700 (PDT)
Sender: owner-namedroppers@ops.ietf.org
Precedence: bulk
List-ID: <namedroppers.ops.ietf.org>

[no hat]

On Fri, Jul 25, 2008 at 03:36:15PM -0400, Joe Abley wrote:

> It seems to me that a bare validator, freshly started, with no cache and no 
> special configuration, knows nothing about what zones in the world are 
> secured and which are not.

I thought, in any case, that the hypothetical case you were talking
about was a laptop in a hotel room.  Sure, there are people on this
list who know how to set up and configure a full validating resolver
for these purposes.  But the stub resolver is still dependent on
what's upstream, and that's what's going to be on a laptop, I think.
So if the compromise is on the network between the stub and the
validator, you're hosed.  (I thought this was the point someone
up-thread was making.  No?)

A

-- 
Andrew Sullivan
ajs@commandprompt.com
+1 503 667 4564 x104
http://www.commandprompt.com/

--
to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/namedroppers/>

v2.23.0 | Report a Bug | By Email