> Il 25/04/2020 08:23 Vladimír Čunát <vladimir.cunat+i...@nic.cz> ha > scritto: > > Still, note that for some consumers the secure transport may be an > argument to drop validating DNSSEC themselves. If they choose some DNS > provider that they trust with privacy (it might be their ISP), it seems not a > huge leap to trust them with DNS integrity as well (say, the provider doing > DNSSEC validation). Especially as today "regular users" don't get that much > benefit from validation, mostly relying on https/tls. > In any case, for most users today DNSSEC validation is done by the resolver and not on their device, and in that case the length of the leap you mention is zero: you already have to take the resolver's word for the fact that the result of DNSSEC validation really was what the resolver tells you, so there is no additional security in knowing that the resolver says that it did DNSSEC validation and it was ok.
There is for the resolver, of course, but this means that the resolver can evaluate independently how to trust the results that it gets for its queries; it could rely on DNSSEC, or it could rely on some form of authentication of the authoritatives (e.g. ADo* and/or PKI), or on any other existing or new mechanism. > > Some of them also want a variant of DNS filtering, which still clashes > with validation a bit (if done *after* filtering). > Which is one more reason why clients might prefer "trust whatever the secure resolver says" to "trust the DNSSEC information that the resolver puts in your results". DNSSEC and DNS filtering are incompatible by design, and if you have to choose among the two, many users will prefer the latter. Of course, this changes if we go into the "resolverless" mode envisaged by a couple of the ADD drafts, or in the currently rare case when the client is not a stub and does full resolution directly (the two things are IMHO architecturally equivalent). In that case, the client's security would really benefit from doing DNSSEC validation directly. -- Vittorio Bertola | Head of Policy & Innovation, Open-Xchange vittorio.bert...@open-xchange.com mailto:vittorio.bert...@open-xchange.com Office @ Via Treviso 12, 10144 Torino, Italy
_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop