[Dnssec-deployment] Fetching the RRSIGs can be a problem too.
Mohan Parthasarathy
suruti94 at gmail.com
Thu Sep 1 16:57:27 EDT 2011
On Thu, Sep 1, 2011 at 1:07 PM, Paul Vixie <vixie at isc.org> wrote:
> > Date: Thu, 1 Sep 2011 09:17:03 -0700
> > From: Mohan Parthasarathy <suruti94 at gmail.com>
> >
> > Do you have a clear path today ? If not, do you know when we are going
> > to have that clear path ? Coming across a broken CPE box is not that
> > uncommon. I was trying to see if there is a simple way to workaround
> > it at least in some cases.
>
> i don't think you're going to get there with "forwarders". it's going
> to take a fair bit of work to make dnssec validation work across the
> common case of "broken CPE". i'm thinking dns-over-https as a service,
> used as a proxy when the hotel's broken middlebox gets in the way.
>
> Who would be operating this service ? So, it is a recursive server talking
https on one
side and DNS on the other side ? Why should I trust this service ?
regards
mohan
> background on this can be found below -- noting that validation is a
> "dnssec application" in this context:
>
> http://www.circleid.com/posts/defense_in_depth_for_dnssec_applications/
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://dnssec-deployment.org/pipermail/dnssec-deployment/attachments/20110901/491fba23/attachment.html
More information about the Dnssec-deployment
mailing list