* Roy Arends wrote:
Lutz Donnerhacke wrote on 02/16/2007 09:24:33 AM:
You can run a caching validating on your own system.
Isn't that what I was saying ? I just don't want to do all the recursion. My ISP's resolver can do that.
So use it for this.
not really. I can also validate on a stub resolver.
I wouldn't call this "stub". A stub resolver is a protocol translator: It offers an well known API to well known protocol. It does nothing more of the protocol itself.
Following this proposal in the blog, DNSSEC is dead.
Tell me Lutz, how does joe end user run a full featured validating resolver daemon, when he barely understand the concept of DNS.
The end user has a stub resolver pointing to a trustwothy validating one. It's this plain simple. If you want to break this behavior, DNSSEC is dead.
If he shouldn't run this, how does he setup "a established link to an authenticated resolver". You're not really referring to just an bunch of addresses in some resolv.conf or equivalent, since thats hardly an established link. The ISP's resolver hardly knows who's talking to it.
I'm responsible for DNS at an ISP: The ISP's resolver know who queries it.
Now, lets assume for a sec we don't run into scaling issues, since the "authenticated resolver" needs to do some crypto for the "established link", while doing some crypto to validate messages.
DNSSEC validating on a larger resolver does scale well, because - that's the important observation I made - a lot of queries can be answered from cached NSEC records without querying further. The whole bunch of NXDOMAIN dropped by about 70% here. Crypto is cheap compared to networking.
Why should I trust data, validated by my ISP?
Because you choose him to do so.
Them ISPs route me to a search page, while I should've received an NXDOMAIN. but, no fear, the 'ad' bit is set, and I can just blindly trust my ISP, while they're cashing (no typo) in on my unfortunate misspellings.
If you do not trust your ISP, you need an other one or you won validating protocols i.e. VPN to a trustwothy point. DNSSEC for end users is not a security issue, it's a deployment issue.