[dnssec-deployment] some observations about .SE's DNSSEC
Mark Andrews
Mark_Andrews at isc.org
Tue Sep 25 22:38:31 EDT 2007
> > I suggest that anyone with this problem file a bug report
> > with their firewall/NAT vendor.
>
> most of us who have that problem will be behind someone else's NAT, like
> a hotel room or wireless. historically, fixing those is like pushing on
> a rope.
All you can do is log the problem. If enough people complain
it will be fixed. Deploying a local DNSSEC resolver is
actually RECOMMEND practice on a Standards Track RFC.
It would be nice if the IETF in there discussions with
hotels actually stated to the hotel that we are using
technology that is likely to become standard practice in
the next 3 years and that it would be wise to address issues
raised.
After athentication the hotel should have some method to
stop DNS queries being intercepted. I assume hotels intercept
DNS queries to handle statically configured nameservers in
stub resolvers.
At the very least they should have a checkbox to disable
interception on the authentication page like may do to supply
a non NATed address.
Good indications that it should be disabled automatically are:
* TSIG signed requests.
* non-recursive queries.
Mark
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: Mark_Andrews at isc.org
More information about the Dnssec-deployment
mailing list