On Aug 18, 2008, at 5:21 PM, Masataka Ohta wrote:
The fact is DNSSEC is the *only* game in town for preventing cache
poisoning.
Not at all.
Which game do you propose?
If a caching server is not required to perform public key computation
to verify RRs before caching, ...
Then the caching server isn't really implementing DNSSEC.
If a caching server is required to perform public key computation to
verify RRs before caching, it can't support much clients and will be
a so easy victim of DDOS.
Hence, one of the reasons for the desire to push DNSSEC towards the
end user. For example, I am fairly confident the validating caching
server running on my laptop isn't going to be any more subject to a
DDOS due to the increased cost of crypto verification that it would be
subject to a DDOS due to (say) a ping flood.
I am curious what you propose as an alternative.
Regards,
-drc
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
