Re: [DNSOP] my dnse vision

Tony Finch <dot@dotat.at> Mon, 10 March 2014 17:11 UTC

Return-Path: <fanf2@hermes.cam.ac.uk>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4FC3A1A0642 for <dnsop@ietfa.amsl.com>; Mon, 10 Mar 2014 10:11:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.447
X-Spam-Level:
X-Spam-Status: No, score=-2.447 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-0.547] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0gWS2EG9hely for <dnsop@ietfa.amsl.com>; Mon, 10 Mar 2014 10:11:14 -0700 (PDT)
Received: from ppsw-40.csi.cam.ac.uk (ppsw-40-v6.csi.cam.ac.uk [IPv6:2001:630:212:8::e:f40]) by ietfa.amsl.com (Postfix) with ESMTP id B65531A055D for <dnsop@ietf.org>; Mon, 10 Mar 2014 10:11:14 -0700 (PDT)
X-Cam-AntiVirus: no malware found
X-Cam-ScannerInfo: http://www.cam.ac.uk/cs/email/scanner/
Received: from hermes-1.csi.cam.ac.uk ([131.111.8.51]:59142) by ppsw-40.csi.cam.ac.uk (smtp.hermes.cam.ac.uk [131.111.8.156]:25) with esmtpa (EXTERNAL:fanf2) id 1WN3jI-0001Yr-lQ (Exim 4.82_3-c0e5623) (return-path <fanf2@hermes.cam.ac.uk>); Mon, 10 Mar 2014 17:11:08 +0000
Received: from fanf2 by hermes-1.csi.cam.ac.uk (hermes.cam.ac.uk) with local id 1WN3jI-0005Lu-KW (Exim 4.72) (return-path <fanf2@hermes.cam.ac.uk>); Mon, 10 Mar 2014 17:11:08 +0000
Date: Mon, 10 Mar 2014 17:11:08 +0000
From: Tony Finch <dot@dotat.at>
X-X-Sender: fanf2@hermes-1.csi.cam.ac.uk
To: Stephane Bortzmeyer <bortzmeyer@nic.fr>
In-Reply-To: <20140306145020.GA5976@laperouse.bortzmeyer.org>
Message-ID: <alpine.LSU.2.00.1403101654150.18502@hermes-1.csi.cam.ac.uk>
References: <201403051107.s25B7ext069332@givry.fdupont.fr> <02410136-DFE2-42C8-A91E-AA84641AFFCF@ogud.com> <20140305144213.GA19170@laperouse.bortzmeyer.org> <alpine.LSU.2.00.1403051637160.18502@hermes-1.csi.cam.ac.uk> <20140306145020.GA5976@laperouse.bortzmeyer.org>
User-Agent: Alpine 2.00 (LSU 1167 2008-08-23)
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: Tony Finch <fanf2@hermes.cam.ac.uk>
Archived-At: http://mailarchive.ietf.org/arch/msg/dnsop/V4nVoePPuDjmtBhFtMunq_A6WPs
Cc: dnsop@ietf.org
Subject: Re: [DNSOP] my dnse vision
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 10 Mar 2014 17:11:26 -0000

Stephane Bortzmeyer <bortzmeyer@nic.fr> wrote:
>
> The only place where server authentication could be useful is between
> a stub and the first resolver.

I don't think it is as simple as that.

There are good reasons for using a recursive resolver that is close to
you, e.g. to avoid untrustworthy shared resolvers. However the more people
do this the more demand there will be for intercepting iterative queries
between resolvers and authorities. You need to authenticate authoritative
servers to protect against active interception.

Tony.
-- 
f.anthony.n.finch  <dot@dotat.at>  http://dotat.at/
Hebrides: South or southwest 4 or 5, increasing 6 to gale 8. Moderate or
rough, becoming very rough in northwest. Mainly fair. Moderate or good,
occasionally poor.