[Dnssec-deployment] DNSSEC aware recursive name servers

Joe Abley joe.abley at icann.org
Fri Aug 5 13:03:24 EDT 2011

On 2011-08-05, at 12:46, Edward Lewis wrote:

> At 17:33 +0100 8/5/11, Ben Laurie wrote:
>> On Fri, Aug 5, 2011 at 5:28 PM, Edward Lewis <Ed.Lewis at neustar.biz> wrote:
>>> DNSSEC is designed to do one thing - protect DNS caches.  From this I am
>>> confounded by the noun "DNSSEC aware applications."  DNSSEC was never meant
>>> to be exposed to applications, it is for protecting the DNS.
>> Perhaps you should think of them as "applications that are using a
>> DNSSEC protected cache" then.
> Call or label the applications anything you want, DNSSEC is there to 
> protect the DNS, specifically caches.

for thing in cache application; do

  I tend to think of DNSSEC as being something a $thing uses to make sure it does not receive and act on junk, and hence protect itself.


This is orthogonal to the last-mile question. If an application or a cache wants to protect itself, it needs to validate its replies. A $thing using a cache which happens to protect itself using validation should not assume that the protection is transitive.


More information about the Dnssec-deployment mailing list