[Dnssec-deployment] DNSSEC aware recursive name servers
Andrew Sullivan
ajs at shinkuro.com
Fri Aug 5 16:50:18 EDT 2011
On Fri, Aug 05, 2011 at 04:29:10PM -0400, Matt Larson wrote:
> I don't think it's realistic to expect even a majority of end systems
> to be able to perform iterative resolution (i.e., run a recursive name
> server) as a means to access DNSSEC-authenticated data.
Indeed, I'd argue that it's unreaslistic to expect a majority of end
systems among DNSSEC geeks to be willing to do that. My value for N
in Matt's formulation was 2. I'm not willing to put up with that much
pain, even though I know it's causing me other pain. It's other pain
I know and have had 20 years to get used to.
But I do think there's hope. The MIF working group at the IETF is
busy working on yet more nifty hacks to figure out how broken your DNS
resolution path is. These hacks all seem to me to be like democracy:
the worst approach except for all the others. I would (1) encourage
people to review the work going on there and (2) try to think about
ways in which the techniques they're going to standardize could allow
a local validating resolver to do sane things in the face of broken
hotel networks and so on. If we don't tackle this, someone else will,
and I bet we'll be less pleased with the results.
A
--
Andrew Sullivan
ajs at shinkuro.com
Shinkuro, Inc.
More information about the Dnssec-deployment
mailing list