On Jan 16, 2015, at 14:22, Warren Kumari <war...@kumari.net> wrote: > I and some others disagree on the impact of this, but my view is that > if I sign a zone it is because I'd like everyone doing DNSSEC to > actually validate the answers, not just shrug and move on…
DNSSEC exists to allow the receiver of data to validate what they have received. For this reason, DNSSEC is all about making the validator happy. It’s become a common misconception of DNSSEC it that it is there to benefit the zone administrator. (Think how silly that sounds!) The root of this is the nature of open-ended distributed systems. In such environments, of which the Interent is a sterling example, one cannot ennumerate the participants. This has a number of theoretical implications, too many to list in an email. What applies here is, in such an environment it is insane to have an expectation that one's messages will be treated as one wishes. Whenever designing a method of interaction in such a system, the most reslient design will rely on defining how a participant reacts to environmental stimuli - i.e., how a receiver of a packet reacts to it. In DNSSEC the most important part of the protocol definition[0] is how (under local policy) the process of validation is recommended to be performed. Subsidiary to that is guidance given to the sources of data when preparing data for transmission - for the mere fact that this sets up expectations of the receiver. It’s good to recommend improved cryptography to deployers of validators. (Better is an open/relative term.) It’s bad to expect deployers to follow the recommendations. That is the reason DNSSEC “fails” “open.” [0] Definition is a terse word, “guidance” is more appropriate but makes the sentance harder to read. _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
