[Dnssec-deployment] DNSSEC aware recursive name servers

[Doug Barton]

On 08/04/2011 21:34, Mohan Parthasarathy wrote:
> Whether I want the recursive server to do the validation or do it
> myself in the end host is a different question. To support either of
> these, we need servers which is DNSSEC aware. Without this how can we
> possibly see any adoption ? My sample data of what works is very 
> small. Hence, I thought I would ask here in this group.

Now you've raised some interesting topics. :)  My personal feeling is
that the "last mile" issue is both one of the most important (perhaps
THE most important) DNSSEC issue, and is unfortunately one of the issues
that has received very little attention until recently, and still (again
IMO) not enough.

My personal view is that unless you're doing validation on the host
itself DNSSEC is useless. What flows from that is that in virtually all
circumstances for the foreseeable future you need to run a local
validating resolver.

I understand that there are some efforts being expended to make it
easier for users (at least in a Unix'y environment) to run a validating
stub, and I think that's great. However, as you point out for hosts that
are often used on unknown networks (which nowadays is more the rule than
the exception) you can't rely on the provided resolver being
DNSSEC-safe. In fact, there are so many broken CPE devices that it's not
at all uncommon not to be able to trust a resolver that you own.


Doug

-- 

	Nothin' ever doesn't change, but nothin' changes much.
			-- OK Go

	Breadth of IT experience, and depth of knowledge in the DNS.
	Yours for the right price.  :)  http://SupersetSolutions.com/