Lutz Donnerhacke wrote on 02/16/2007 11:40:14 AM:
* Roy Arends wrote:
explain to me how DNSSEC is dead by doing validation on a stub resolver.
You can't update the installed base quick enought to gain the benefits of DNSSEC. If the recursing resolvers do not validate, the whole DNSSEC effect is going to zero. You will find about 100000 validating resolvers at end user sites and nobody will sign a zone for this group of geeks.
And with 'who queries it', you probably mean that you have some list in place somewhere that discriminates on ip. Note that I can simply
Ah, you're assuming that folk will en-masse sign their zones for the handfull of validating resolvers ? Meanwhile, my OS/X and windows boxes are configured (by default) to update itself regularly. Some of my applications do that as well. My browsers have validation intergrated. Joe end user would not even see the difference.... but he's better off than before. I don't really expect any demand from end-users in general. I have difficulty believing that there will be any effort from big ISP's to do this. It takes a few support calls to have validation switched off at the ISPs site, or the ISP will already see their very thin margin evaporate (sure sure, you're the exception). That leaves us with pushing code to the end user, in applications and OS, which implies coorperation from and education to software developers. Since you don't sell access to private end users, I assume you sell bulk access, which implies that corps/folks you send access to, have their own resolvers in place. They loose. passive
query your resolver box. You wouldn't even know it is me.
I can't see your point here.
acl's, firewalls, etc, that decide on source ip address if it can query your resolver. I can circumvent that.
I find those last two statements highly unlikely, but for argument sake, multiply this by cost(crypto(lastmile))*count(users).
I do not see the need for crypto on the last mile.
Why should I trust data, validated by my ISP?
Because you choose him to do so.
Eh? No, I rely on it to bring me the data. I'll validate it myself,
That is okay. thank
you very much.
You are a geek. But you spoke about end users. And they trust their ISP for the data they received from him.
I'd advice joe end user to validate locally. Just as I'd advice them validate certificates (which browsers do automagically). Are you saying that end users should blindly trust their http connection, just because it come via their ISP, or the ISP's proxy?
You are still free to do the validation yourself.
Good. I was concerned for a second. I see no point in discussing this further. You may call me a geek, thats fine, I see it as 'early adaptor'. Roy