To:
Dan Massey <masseyd@isi.edu>
Cc:
Edward Lewis <lewis@tislabs.com>, Olaf Kolkman <OKolkman@ripe.net>, <dnssec@cafax.se>
From:
Jakob Schlyter <jakob@crt.se>
Date:
Wed, 18 Apr 2001 14:32:00 +0200 (CEST)
In-Reply-To:
<20010417182257.A1236@snarl.east.isi.edu>
Sender:
owner-dnssec@cafax.se
Subject:
Re: lwresd, tsig, and caching
On Tue, 17 Apr 2001, Dan Massey wrote: > Ted's Option A: > Having all 2k laptops do their own key chaining and verfication would > be a bad thing in terms of delay, caching, etc... this doesn't seem > like something that should be encouraged. why is this such a bad thing? I would say that local verification is better and gives you more control who to trust. in this case, using the on-site nameservers at forwarders helps caching and decreases delay. in addition to this, I see a problem delegating the verification to some nameserver(s) that someone tells me to use (i.e. using dhcp or whatever). I might be able to query the server(s) securly, but I have no idea on what they trust and why. /Jakob -- Jakob Schlyter <jakob@crt.se> Network Analyst Phone: +46 31 701 42 13, +46 70 595 07 94 Carlstedt Research & Technology