On Nov 26, 2009, at 8:37 AM, Paul Vixie wrote: >> From: David Conrad <d...@virtualized.org> >> Date: Thu, 26 Nov 2009 07:42:15 -0800 >> >> As you know, as long as people rely on their ISPs for resolution >> services, DNSSEC isn't going to help. Where things get really offensive >> if when the ISPs _require_ customers (through port 53 blocking, T-Mobile >> Hotspot, I'm looking at you) to use the ISP's resolution services. > > the endgame for provider-in-the-middle attacks is enduser validators, which > is unfortunate since this use case is not well supported by current DNSSEC > and so there's some more protocol work in our future ("noooooooooooo!!").
Why not simply run a validating resolver locally? > i also expect to see DNS carried via HTTPS, which providers tend to leave > alone since they don't want to hear from the lawyers at 1-800-flowers.com. > (so, get ready for https://ns.vix.com/dns/query/www.vix.com/in/a&rd=1&ad=1). To quote you, "noooooooooooo!!" At some point, we may as well bite the bullet and redefine http{,s} as IPv7. Regards, -drc