On Jul 16, 2009, at 10:27 AM, Paul Wouters wrote:
DNSSEC doesn't touch anything after the validator. It will have no
effect on the vast majority of Comcast (or other consumer oriented)
ISPs' customers.
Fedora 12 is slated to run with a validator on every machine.
This is the right direction to go.
I would
not be surprised if OSX and Microsoft go in the same direction.
I would be. Quite.
And the
reason for that move is precisely because the enduser cannot
distinguish
malicious DNS modifications and beneign DNS modifications. So it is
better to accept none.
Except for most users, accepting none means "the Internet is broken"
which will result in ISP or OS vendor support calls which will
undoubtedly result in users being instructed to turn off validation
(like they get told to turn off IPv6 today).
We are looking at how to resolve the DNS portal issues and non-dnsssec
aware resolvers in the forwarder chain. There are some ideas that need
more attention and thoughts.
Yep. It is annoying to have to stop using my local (validating)
resolver any time I use T-Mobile hotspot service. I've given up using
T-Mobile hotspot (where possible) for precisely that reason.
Regards,
-drc
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
