Hi JINMEI, Thanks for your question and review.
> > [...] For DNS resolver, it > > receives this IP address securely via the option in the router > > advertisement message. > > So, the security of this approach relies on how securely the client can get the > resolver's address, e.g., > - Using SEND for RAs with RFC 6106 > - (If and when it's defined) Using public-key based DHCPv6 > authentication > And, to make this part secure, the client needs to get the router's certification > or the server's public key securely beforehand. > > Is my understanding correct? To some extend correct but not but it is not bound to that option. One example is where you are in untrusted network like a Café. We assume that you cannot trust your router or the router does not support SeND and you really want to ensure that MITM attack will not happen during browsing any websites (like your bank or etc) then you can always set an IP address of a trusted resolver yourself. One example can be the use of an IP address of the google resolver or any other resolver that supports cga-tsig (it can be your home resolver as well). Your node can verify that using CGA/or SSAS algorithm. I hope I could answer your question. Smile, Hosnieh _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop