|
|
|
|
|
|
|
|
|
|
|
|
| home | help | back | first | fref | pref | prev | next | nref | lref | last | post |
Date: Mon, 22 Sep 2008 11:11:40 -0400 In-Reply-To: <82ljxkkz57.fsf@mid.bfk.de> From: "Keith Medcalf" <kmedcalf@dessus.com> To: "nanog@nanog.org" <nanog@nanog.org> Errors-To: nanog-bounces@nanog.org > Correct, you need a validating, security-aware stub resolver, or the > ISP needs to validate the records for you. That would defeat the entire purpose of using DNSSEC. In order for DNSSEC = to actually provide any improvement in security whatsoever, the ROOT ZONE (= .) needs to be signed, and every delegation up the chain needs to be signed= . And EVERY resolver (whether recursive or local on host) needs to underst= and and enforce DNSSEC. If even one delegation is unsigned or even one resolver does not enforce DN= SSEC, then, from an actual security perspective, you will be far worse off = than you are now. Until such time as EVERY SINGLE DOMAIN including the root is signed and eve= ry single DNS Server and resolver (including the local host resolvers) unde= rstand and enforce DNSSEC you should realize that DNSSEC does nothing for y= ou whatsoever except give the uneducated a false sense of "security". It is likely that IPv48 will be deployed long before DNSSEC is implemented.
|
|
|
|
|
|
|
|
|
|
|
|
| home | help | back | first | fref | pref | prev | next | nref | lref | last | post |