[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: How do we get the whole world to upgrade to DNSSEC capable resolvers?

To: DNSEXT WG <namedroppers@ops.ietf.org>
Subject: Re: How do we get the whole world to upgrade to DNSSEC capable resolvers?
From: Jelte Jansen <jelte@NLnetLabs.nl>
Date: Fri, 25 Jul 2008 00:14:42 +0200
In-reply-to: <63C0FFE7-17E6-4ECE-9A12-0537FE2E3F4B@ca.afilias.info>
References: <48875934.8080101@links.org> <F113C53F-D189-45A0-8DC3-14725395D1BD@virtualized.org> <20080723183227.GA11957@outpost.ds9a.nl> <2FFE6519-7E9C-4DE8-AF69-697A4D875011@nominum.com> <20080723191636.GB32507@outpost.ds9a.nl> <8A91CF57-0CBD-4CF2-BF59-C7D59CB4B7B9@virtualized.org> <20080724060743.GA7420@outpost.ds9a.nl> <48886C4D.4020500@ca.afilias.info> <63C0FFE7-17E6-4ECE-9A12-0537FE2E3F4B@ca.afilias.info>
User-agent: Thunderbird 2.0.0.14 (X11/20080505)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Joe Abley wrote:
> 
>> DNSSEC makes this impossible.
> 
> Surely, DNSSEC making that impossible relies on the validator on Joe's
> laptop insisting that the TLD and MYBANK.TLD zones are signed, and that
> a trust anchor exists to verify the signatures.
> 
> If the validator on Joe's laptop has an empty cache, and no
> configuration which will make it insist particularly that those zones
> are signed, surely the middleware which is replying to queries could
> just return as if the root, TLD and MYBANK.TLD zones are unsigned. At
> that point there will be no signatures to verify, and it will be as if
> DNSSEC was never deployed.
> 

how would you verify anything without a trust anchor?

I don't think anyone here implies that DNSSEC works when you do not
actually turn it on on the resolver you are using.

> 
> I keep seeing people insist that query-intercepting middleware will be
> defeated with DNSSEC, but I can't see why. Perhaps I'm missing something.
> 

It doesn't (in this scenario), but only because it actually does, and
Joe cannot resolve anything. Then he will probably turn it off.

Jelte
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFIiP7S4nZCKsdOncURArXIAKC5Q14tEiQkLIdvwKTbRseiIERrtgCgs6Pp
qYsygSLxB8xXtG82dptkwLg=
=zk6V
-----END PGP SIGNATURE-----

--
to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/namedroppers/>

Follow-Ups:
- Re: How do we get the whole world to upgrade to DNSSEC capable resolvers?
  - From: Joe Abley <jabley@ca.afilias.info>

References:
- How do we get the whole world to upgrade to DNSSEC capable resolvers?
  - From: Ben Laurie <ben@links.org>
- Re: How do we get the whole world to upgrade to DNSSEC capable resolvers?
  - From: David Conrad <drc@virtualized.org>
- Re: How do we get the whole world to upgrade to DNSSEC capable resolvers?
  - From: bert hubert <bert.hubert@netherlabs.nl>
- Re: How do we get the whole world to upgrade to DNSSEC capable resolvers?
  - From: Ted Lemon <Ted.Lemon@nominum.com>
- Re: How do we get the whole world to upgrade to DNSSEC capable resolvers?
  - From: bert hubert <bert.hubert@netherlabs.nl>
- Re: How do we get the whole world to upgrade to DNSSEC capable resolvers?
  - From: David Conrad <drc@virtualized.org>
- Re: How do we get the whole world to upgrade to DNSSEC capable resolvers?
  - From: bert hubert <bert.hubert@netherlabs.nl>
- Re: How do we get the whole world to upgrade to DNSSEC capable resolvers?
  - From: Brian Dickson <briand@ca.afilias.info>
- Re: How do we get the whole world to upgrade to DNSSEC capable resolvers?
  - From: Joe Abley <jabley@ca.afilias.info>

Prev by Date: New agenda posted
Next by Date: Re: How do we get the whole world to upgrade to DNSSEC capable resolvers?
Previous by thread: Re: How do we get the whole world to upgrade to DNSSEC capable resolvers?
Next by thread: Re: How do we get the whole world to upgrade to DNSSEC capable resolvers?
Index(es):
- Date
- Thread