To:
dnssec@cafax.se
From:
Matt Larson <mlarson@verisign.com>
Date:
Tue, 11 May 2004 09:17:54 -0400
Content-Disposition:
inline
In-Reply-To:
<20040511114743.GD18540@atoom.net>
Sender:
owner-dnssec@cafax.se
User-Agent:
Mutt/1.5.6i
Subject:
Re: dnssec: resolver - application communication
On Tue, 11 May 2004, Miek Gieben wrote: > Ad 3: > David has a valid point in that you can use CD=1 and query your > forwarder to debug. However if your forwarder is malicious this won't > help. I believe we also need to develop debugging tools that go after > the authoritative servers directly. While I don't disagree with the need for debugging tools, it's important to remember that many resolvers are prevented from contacting authoritative servers directly by firewalls, filtering, etc. In many networks' DNS architectures, the only way out is through an authorized set of intermediate resolvers. If there's a malicious or misguided middlebox between your resolver and the rest of the Internet, you lose. This has always been true. DNSSEC can't ensure that you get good data in this case, but it can at least prevent bad (spoofed) data. Matt