On Mon, Jan 09, 2017 at 03:51:31PM +0000, Vernon Schryver wrote:
> Note that the vast majority of clients of RPZ rewriting resolvers are
> stubs that don't do validation
So far, and at present, correct. Validating resolvers (unbound
and the like) are seeing deployment on servers first, including
some of the caches queried by said stubs. (Far from representative
of course, My home OpenWRT router runs a validating unbound.)
> but trust header bits saying that a
> resolver operated by a third party did the validation.
But not this. The stubs in question are generally security oblivious,
and don't in any sense "trust" that any validation happens upstream.
> I think that's
> wrong, evil, nasty, unethical, a Major Human Rights Issue, and blah
> de blah de blah, but it's also something no one seems willing and able
> to change.
And this part is both irrelevant, and IMHO inappropriately dismissive
of legitimate concerns expressed upstream. We won't all agree,
but we should be held to a higher standard on the manner of the
discourse.
--
Viktor.
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
