[Dnssec-deployment] DNSSEC aware recursive name servers
Patrik Fältström
paf at cisco.com
Sun Aug 7 17:02:23 EDT 2011
On 7 aug 2011, at 19.03, Paul Vixie wrote:
> ok, here's the scenario. i'm at starbucks. it's 2016. dnssec is so far
> deployed that homebanking.wellsfargo.com no longer has an X.509 cert and
> my browser does not even have a set of CA's in it. IETF DANE is complete
> and everybody's using it.
>
> i ask the starbucks recursive validator for the AAAA RR for wells fargo
> and it tells me, with the AD bit. i contact the TCP/443 listener at that
> address and it gives me a self signed cert with some indication that i can
> find the hash of that cert in DNS.
I'm at Starbucks. It's 2016. DNSSEC is so far deployed that homebanking.wellsfargo.com no longer has an X.509 cert and my browser does not even have a set of CA's in it. IETF DANE is complete and everybody's using it.
I ask my trusted recursive resolver over a secure channel (SIG(0), TSIG or whatever) for the AAAA RR for wells fargo and it tells me, with the AD bit.
Etc...
I.e. I think to be able to trust whoever one communicate with, there must be a trust relationship, like for email, jabber or whatever.
And I do think there is a market for a middle man between the end user and the root.
Now, if "we" can not communicate this to people...well...
How many users at conferences send email passwords over clear text still?
Patrik
More information about the Dnssec-deployment
mailing list