On Fri, Jun 22, 2018 at 9:48 AM Ted Lemon <mel...@fugue.com> wrote: > It seems to me that the main benefit of SIG(0) is not securing connections > between resolvers and caches, but in securing DNS updates and other > transfers where you need authentication+authorization. In the case where > you just need authentication, we already have DNSSEC. I _guess_ Warren's > use case makes some sense, but I think it's a bit hackerly, and not > something we'd expect to see wide deployment. >
I think that if it *had* been implemented (and easily configured!) in e.g glibc it might have gotten some deployment - but now DPRIVE and DoH (and similar) will give me everything that I wanted (and more) and so my use case is no longer worth considering... W > > On Fri, Jun 22, 2018 at 9:41 AM, Vladimír Čunát < > vladimir.cunat+i...@nic.cz> wrote: > >> On 06/22/2018 12:27 AM, Ted Lemon wrote: >> > Thanks. In the case where a zone isn’t signed but the authoritative >> > server supports SIG(0), the response could be verified that it >> > includes exactly what the server sent. But the KEY would need to be >> > DNSSEC validated or it probably can’t be trusted to verify the SIG(0) >> > response. >> >> Well, the path to the resolver can be secured via other means that are >> commonly available nowadays, e.g. DNS over TLS. I can also see use >> cases for client trusting a resolver enough not to bother with DNSSEC >> validation locally. >> >> --Vladimir >> >> _______________________________________________ >> DNSOP mailing list >> DNSOP@ietf.org >> https://www.ietf.org/mailman/listinfo/dnsop >> > > _______________________________________________ > DNSOP mailing list > DNSOP@ietf.org > https://www.ietf.org/mailman/listinfo/dnsop > -- I don't think the execution is relevant when it was obviously a bad idea in the first place. This is like putting rabid weasels in your pants, and later expressing regret at having chosen those particular rabid weasels and that pair of pants. ---maf
_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
