David Conrad wrote:
>> If a caching server is required to perform public key computation to
>> verify RRs before caching, it can't support much clients and will be
>> a so easy victim of DDOS.
>
>
> Hence, one of the reasons for the desire to push DNSSEC towards the end
> user.
You mean all the DNSSEC clients should directly ask authoritative
nameservers and all the firewalls preventing so should be modified.
OK.
Let's assume all the clients agree with you and start using DNSSEC
and all the administrators of firewalls agree with you and perform
modification (though I don't know how NAT can be modified).
Then, the increased load is a very good reason for root servers not
support DNSSEC.
> I am curious what you propose as an alternative.
Abandon DNSSEC and accept the reality that, even with DNSSEC,
management of DNS is not very secure.
Masataka Ohta
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
