Paul Wouters wrote:
> (distributed) point to point encryption (or validation) is the future!
It's no future.
> I see no problem for port 53 through NAT's.
NAT often captures and modifies packet to port 53.
> But really, so many desktop applications
> do direct DNS now themselves with disregard of the OS,
Today, most of them are using a DHCP-supplied server.
>> Then, the increased load is a very good reason for root servers not
>> support DNSSEC.
> I believe 99% of the load of root servers is bogus queries anyway.
The amount of bogus queries will also increases, of course.
> Plus, I'm sure they wouldn't mind an increase to signal/noise ratio.
> Plus, those are addressed my things like anycast. It all scales fairly
> well, DNS being a distributed system and all. I'll take this argument
> as valid as soon as a root server operator comes forward and tells us
> this is a problem. For YOUR objections, let's stick to YOUR problems.
FYI, root server load was my problem and anycast is my thing.
More anycasting means more cost.
>> Abandon DNSSEC and accept the reality that, even with DNSSEC,
>> management of DNS is not very secure.
> That's not an alternative (nor correct)
That's the reality with no alternatives.
Masataka Ohta
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
