Paul Wouters wrote: > (distributed) point to point encryption (or validation) is the future!
It's no future. > I see no problem for port 53 through NAT's. NAT often captures and modifies packet to port 53. > But really, so many desktop applications > do direct DNS now themselves with disregard of the OS, Today, most of them are using a DHCP-supplied server. >> Then, the increased load is a very good reason for root servers not >> support DNSSEC. > I believe 99% of the load of root servers is bogus queries anyway. The amount of bogus queries will also increases, of course. > Plus, I'm sure they wouldn't mind an increase to signal/noise ratio. > Plus, those are addressed my things like anycast. It all scales fairly > well, DNS being a distributed system and all. I'll take this argument > as valid as soon as a root server operator comes forward and tells us > this is a problem. For YOUR objections, let's stick to YOUR problems. FYI, root server load was my problem and anycast is my thing. More anycasting means more cost. >> Abandon DNSSEC and accept the reality that, even with DNSSEC, >> management of DNS is not very secure. > That's not an alternative (nor correct) That's the reality with no alternatives. Masataka Ohta _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop