To:
Matt Larson <mlarson@verisign.com>
Cc:
dnssec@cafax.se
From:
bmanning@vacation.karoshi.com
Date:
Tue, 11 May 2004 15:01:25 +0000
Content-Disposition:
inline
In-Reply-To:
<20040511131754.GL31336@chinook.corppc.vrsn.com>
Sender:
owner-dnssec@cafax.se
User-Agent:
Mutt/1.4.1i
Subject:
Re: dnssec: resolver - application communication
On Tue, May 11, 2004 at 09:17:54AM -0400, Matt Larson wrote: > On Tue, 11 May 2004, Miek Gieben wrote: > > Ad 3: > > David has a valid point in that you can use CD=1 and query your > > forwarder to debug. However if your forwarder is malicious this won't > > help. I believe we also need to develop debugging tools that go after > > the authoritative servers directly. > > While I don't disagree with the need for debugging tools, it's > important to remember that many resolvers are prevented from > contacting authoritative servers directly by firewalls, filtering, > etc. In many networks' DNS architectures, the only way out is through > an authorized set of intermediate resolvers. > > If there's a malicious or misguided middlebox between your resolver > and the rest of the Internet, you lose. This has always been true. > DNSSEC can't ensure that you get good data in this case, but it can at > least prevent bad (spoofed) data. actually, it can't prevent bad/spoofed data, it can only provide an unambigious signal that the data is from a specifc source or not. Anythng past that is a policy choice. --bill > > Matt