Re: [DNSOP] my dnse vision
Tony Finch <dot@dotat.at> Mon, 10 March 2014 17:11 UTC
Return-Path: <fanf2@hermes.cam.ac.uk>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4FC3A1A0642 for <dnsop@ietfa.amsl.com>; Mon, 10 Mar 2014 10:11:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.447
X-Spam-Level:
X-Spam-Status: No, score=-2.447 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-0.547] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0gWS2EG9hely for <dnsop@ietfa.amsl.com>; Mon, 10 Mar 2014 10:11:14 -0700 (PDT)
Received: from ppsw-40.csi.cam.ac.uk (ppsw-40-v6.csi.cam.ac.uk [IPv6:2001:630:212:8::e:f40]) by ietfa.amsl.com (Postfix) with ESMTP id B65531A055D for <dnsop@ietf.org>; Mon, 10 Mar 2014 10:11:14 -0700 (PDT)
X-Cam-AntiVirus: no malware found
X-Cam-ScannerInfo: http://www.cam.ac.uk/cs/email/scanner/
Received: from hermes-1.csi.cam.ac.uk ([131.111.8.51]:59142) by ppsw-40.csi.cam.ac.uk (smtp.hermes.cam.ac.uk [131.111.8.156]:25) with esmtpa (EXTERNAL:fanf2) id 1WN3jI-0001Yr-lQ (Exim 4.82_3-c0e5623) (return-path <fanf2@hermes.cam.ac.uk>); Mon, 10 Mar 2014 17:11:08 +0000
Received: from fanf2 by hermes-1.csi.cam.ac.uk (hermes.cam.ac.uk) with local id 1WN3jI-0005Lu-KW (Exim 4.72) (return-path <fanf2@hermes.cam.ac.uk>); Mon, 10 Mar 2014 17:11:08 +0000
Date: Mon, 10 Mar 2014 17:11:08 +0000
From: Tony Finch <dot@dotat.at>
X-X-Sender: fanf2@hermes-1.csi.cam.ac.uk
To: Stephane Bortzmeyer <bortzmeyer@nic.fr>
In-Reply-To: <20140306145020.GA5976@laperouse.bortzmeyer.org>
Message-ID: <alpine.LSU.2.00.1403101654150.18502@hermes-1.csi.cam.ac.uk>
References: <201403051107.s25B7ext069332@givry.fdupont.fr> <02410136-DFE2-42C8-A91E-AA84641AFFCF@ogud.com> <20140305144213.GA19170@laperouse.bortzmeyer.org> <alpine.LSU.2.00.1403051637160.18502@hermes-1.csi.cam.ac.uk> <20140306145020.GA5976@laperouse.bortzmeyer.org>
User-Agent: Alpine 2.00 (LSU 1167 2008-08-23)
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset="US-ASCII"
Sender: Tony Finch <fanf2@hermes.cam.ac.uk>
Archived-At: http://mailarchive.ietf.org/arch/msg/dnsop/V4nVoePPuDjmtBhFtMunq_A6WPs
Cc: dnsop@ietf.org
Subject: Re: [DNSOP] my dnse vision
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 10 Mar 2014 17:11:26 -0000
Stephane Bortzmeyer <bortzmeyer@nic.fr> wrote: > > The only place where server authentication could be useful is between > a stub and the first resolver. I don't think it is as simple as that. There are good reasons for using a recursive resolver that is close to you, e.g. to avoid untrustworthy shared resolvers. However the more people do this the more demand there will be for intercepting iterative queries between resolvers and authorities. You need to authenticate authoritative servers to protect against active interception. Tony. -- f.anthony.n.finch <dot@dotat.at> http://dotat.at/ Hebrides: South or southwest 4 or 5, increasing 6 to gale 8. Moderate or rough, becoming very rough in northwest. Mainly fair. Moderate or good, occasionally poor.
- Re: [DNSOP] my dnse vision Tim Wicinski
- Re: [DNSOP] my dnse vision Hosnieh Rafiee
- Re: [DNSOP] my dnse vision Miek Gieben
- Re: [DNSOP] my dnse vision Francis Dupont
- Re: [DNSOP] my dnse vision Tony Finch
- Re: [DNSOP] my dnse vision Dan York
- Re: [DNSOP] my dnse vision Tony Finch
- Re: [DNSOP] my dnse vision Olafur Gudmundsson
- Re: [DNSOP] my dnse vision Tim Wicinski
- Re: [DNSOP] my dnse vision Francis Dupont
- [DNSOP] my dnse vision Francis Dupont
- [DNSOP] QUIC for DNS confidentiality (Was: my dns… Stephane Bortzmeyer
- Re: [DNSOP] my dnse vision Stephane Bortzmeyer
- Re: [DNSOP] my dnse vision Stephane Bortzmeyer
- Re: [DNSOP] my dnse vision Stephane Bortzmeyer
- Re: [DNSOP] my dnse vision Francis Dupont
- Re: [DNSOP] my dnse vision Stephane Bortzmeyer
- Re: [DNSOP] my dnse vision Stephane Bortzmeyer
- Re: [DNSOP] my dnse vision Jelte Jansen
- Re: [DNSOP] my dnse vision Olafur Gudmundsson
- Re: [DNSOP] my dnse vision Wessels, Duane
- Re: [DNSOP] my dnse vision Tony Finch
- Re: [DNSOP] QUIC for DNS confidentiality (Was: my… Tim Wicinski
- Re: [DNSOP] my dnse vision Stephane Bortzmeyer
- Re: [DNSOP] my dnse vision Stephane Bortzmeyer
- Re: [DNSOP] my dnse vision Stephane Bortzmeyer
- Re: [DNSOP] my dnse vision Jelte Jansen
- Re: [DNSOP] deploying security Francis Dupont
- Re: [DNSOP] my dnse vision Evan Hunt
- Re: [DNSOP] my dnse vision Hosnieh Rafiee
- Re: [DNSOP] my dnse vision Stephane Bortzmeyer
- Re: [DNSOP] my dnse vision Evan Hunt
- Re: [DNSOP] my dnse vision Tony Finch
- Re: [DNSOP] my dnse vision Phillip Hallam-Baker
- Re: [DNSOP] my dnse vision Tony Finch
- Re: [DNSOP] my dnse vision Phillip Hallam-Baker
- Re: [DNSOP] my dnse vision Tony Finch
- Re: [DNSOP] my dnse vision Mark Andrews