In message <[EMAIL PROTECTED]>, Paul Wout ers writes: > On Fri, 28 Nov 2008, Andrew Sullivan wrote: > > > That said, I don't want to make light of the end-point problem, since > > TSIG between a stub and a recursor isn't a trivial problem today > > either. Moreover, since end nodes in many environments get their > > recursor's address(es) via DHCP, and since that path is pretty easy to > > compromise, the whole edifice rests on a sandy foundation. > > Nevertheless, I just want to be clear that having every end node in > > the world doing RFC 4035-and-friends validation is not the only path > > to useful DNSSEC. > > It's worse. Before you can start validating on your own, or use some > trusted remote TSIG accessable resolver, you are likely to need > to accept some spoofs to get past the hotspot authentication.
Which is something the IETF should be providing / promoting a standard alternative for. At present normal protocol operations are being hijacked to do this. Browsers could then have a "HOTSPOT" button which just looked up this information, for example. Mark > Then you need prevent your browser from caching them too much (they > do fastflux protection), and your own potential resolver needs to > dump the answers once it has a real IP link to the real world. > > I don't know of any method to both allow hotspot access and fully > use DNSSEC. > > Paul > _______________________________________________ > Ietf mailing list > Ietf@ietf.org > https://www.ietf.org/mailman/listinfo/ietf -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: [EMAIL PROTECTED] _______________________________________________ Ietf mailing list Ietf@ietf.org https://www.ietf.org/mailman/listinfo/ietf