[119701] in North American Network Operators' Group
Re: What DNS Is Not
daemon@ATHENA.MIT.EDU (David Conrad)
Thu Nov 26 16:26:35 2009
From: David Conrad <drc@virtualized.org>
In-Reply-To: <56156.1259253459@nsa.vix.com>
Date: Thu, 26 Nov 2009 13:25:39 -0800
To: Paul Vixie <vixie@isc.org>
Cc: nanog@merit.edu
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Nov 26, 2009, at 8:37 AM, Paul Vixie wrote:
>> From: David Conrad <drc@virtualized.org>
>> Date: Thu, 26 Nov 2009 07:42:15 -0800
>>=20
>> As you know, as long as people rely on their ISPs for resolution
>> services, DNSSEC isn't going to help. Where things get really =
offensive
>> if when the ISPs _require_ customers (through port 53 blocking, =
T-Mobile
>> Hotspot, I'm looking at you) to use the ISP's resolution services.
>=20
> the endgame for provider-in-the-middle attacks is enduser validators, =
which
> is unfortunate since this use case is not well supported by current =
DNSSEC
> and so there's some more protocol work in our future =
("noooooooooooo!!").
Why not simply run a validating resolver locally?
> i also expect to see DNS carried via HTTPS, which providers tend to =
leave
> alone since they don't want to hear from the lawyers at =
1-800-flowers.com.
> (so, get ready for =
https://ns.vix.com/dns/query/www.vix.com/in/a&rd=3D1&ad=3D1).
To quote you, "noooooooooooo!!"
At some point, we may as well bite the bullet and redefine http{,s} as =
IPv7.
Regards,
-drc
