[119695] in North American Network Operators' Group
Re: What DNS Is Not
daemon@ATHENA.MIT.EDU (Paul Vixie)
Thu Nov 26 11:38:29 2009
From: Paul Vixie <vixie@isc.org>
To: nanog@merit.edu
In-Reply-To: Your message of "Thu, 26 Nov 2009 07:42:15 PST."
<A41F5B3C-EAF6-4CA1-AB0D-B60B57595AC5@virtualized.org>
Date: Thu, 26 Nov 2009 16:37:39 +0000
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
> From: David Conrad <drc@virtualized.org>
> Date: Thu, 26 Nov 2009 07:42:15 -0800
>
> As you know, as long as people rely on their ISPs for resolution
> services, DNSSEC isn't going to help. Where things get really offensive
> if when the ISPs _require_ customers (through port 53 blocking, T-Mobile
> Hotspot, I'm looking at you) to use the ISP's resolution services.
the endgame for provider-in-the-middle attacks is enduser validators, which
is unfortunate since this use case is not well supported by current DNSSEC
and so there's some more protocol work in our future ("noooooooooooo!!").
i also expect to see DNS carried via HTTPS, which providers tend to leave
alone since they don't want to hear from the lawyers at 1-800-flowers.com.
(so, get ready for https://ns.vix.com/dns/query/www.vix.com/in/a&rd=1&ad=1).
