[97981] in North American Network Operators' Group
Re: DNS Hijacking by Cox
daemon@ATHENA.MIT.EDU (David Conrad)
Mon Jul 23 10:19:11 2007
In-Reply-To: <20070723030643.43049766083@berkshire.machshav.com>
Cc: nanog@merit.edu
From: David Conrad <drc@virtualized.org>
Date: Mon, 23 Jul 2007 09:16:14 -0500
To: "Steven M. Bellovin" <smb@cs.columbia.edu>
Errors-To: owner-nanog@merit.edu
Steve,
On Jul 22, 2007, at 10:06 PM, Steven M. Bellovin wrote:
> I'm assuming fairly universal deployment.
...
> The net,
> though, under my assumptions, is that ISP-supplied user configurations
> will likely have the user's machine trust them, but sophisticated
> users
> will be able to override that -- and DNSSEC is very much something for
> sophisticated users.
On the authoritative side, what do you see as the financial incentive
to reach "fairly universal deployment"?
On the caching side, people can run their own validating caching
servers or they can rely on their ISP. Why do you think there will
be a radical shift in the way the vast majority of Internet users get
DNS services, that is, every grandmother running a validating caching
server on her grandson-managed PC? If you don't believe there will
be such a change, then DNSSEC doesn't help you since the end users
are trusting the operator of the validating caching server and that
operator is the one (in the case that triggered this thread) that
mucked with the data.
Rgds,
-drc
