David Conrad wrote: >> If a caching server is required to perform public key computation to >> verify RRs before caching, it can't support much clients and will be >> a so easy victim of DDOS. > > > Hence, one of the reasons for the desire to push DNSSEC towards the end > user.
You mean all the DNSSEC clients should directly ask authoritative nameservers and all the firewalls preventing so should be modified. OK. Let's assume all the clients agree with you and start using DNSSEC and all the administrators of firewalls agree with you and perform modification (though I don't know how NAT can be modified). Then, the increased load is a very good reason for root servers not support DNSSEC. > I am curious what you propose as an alternative. Abandon DNSSEC and accept the reality that, even with DNSSEC, management of DNS is not very secure. Masataka Ohta _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop