To:
Mike StJohns <Mike.StJohns@nominum.com>
cc:
dnssec@cafax.se
From:
Michael Richardson <mcr@sandelman.ottawa.on.ca>
Date:
Mon, 10 May 2004 17:24:37 -0400
In-Reply-To:
Message from Mike StJohns <Mike.StJohns@nominum.com> of "Mon, 10 May 2004 16:37:15 EDT." <6.0.1.1.2.20040510163005.0307fec0@localhost>
Sender:
owner-dnssec@cafax.se
Subject:
Re: dnssec: resolver - application communication
-----BEGIN PGP SIGNED MESSAGE-----
>>>>> "Mike" == Mike StJohns <Mike.StJohns@nominum.com> writes:
>> Consider the situation where the user calls up the IT department,
>> and says "I was SSHing to foo.example, and it said 'bogus'". How
>> does this get resolved?
Mike> Typically by the IT department going and trying the query.
Not good enough in my opinion.
a) the problem might be local. (Caching DNSSEC-aware local name
server)
b) the end-user might be remote, and having some other set of
resolvers in their way.
c) might be time-related, or contents of a cache related.
Do we resolve this kind of thing well right now? No.
The problem is that the end-user is going to get a lot more frequent
failures for the domain to even resolve right now. The problem will be
related to a.example, and they are trying to reach c.b.a.example.
- --
] ON HUMILITY: to err is human. To moo, bovine. | firewalls [
] Michael Richardson, Xelerance Corporation, Ottawa, ON |net architect[
] mcr@xelerance.com http://www.sandelman.ottawa.on.ca/mcr/ |device driver[
] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)
Comment: Finger me for keys
iQCVAwUBQJ/zFIqHRg3pndX9AQH3xAQAuw03a+PU1n6lxfFss6SUQ6rEVN92/jPt
mGWADG/Xy3MdymmnrRnjPRDyqzuzMvP0Sronrxq9BbxDgVmzOzI9pQpYiBKUaBNY
hSc1/9y18gw5TGMJxnB7H2kNM8fcgYtvexbiPOZ3swcXlcAEUBmVIJb8ZmmyuZTG
RmzFGTClfec=
=Htva
-----END PGP SIGNATURE-----