On Apr 30, 2014, at 3:12 PM, Nicholas Weaver <nwea...@icsi.berkeley.edu<mailto:nwea...@icsi.berkeley.edu>> wrote: On Apr 30, 2014, at 12:08 PM, Dan York <y...@isoc.org<mailto:y...@isoc.org>> wrote: But overall the technology behind DNSSEC is very solid and is not the deployment challenge. There is one key problem with DNSSEC to the user's system: 1%+ of the network rejects it, because the user is behind a device which blocks 3rd-party DNS requests and forces all requests through a non-DNSSEC-supporting recursive resolver. Yes, this is an issue. Wes Hardaker, Olafur Gudmundsson and Suresh Krishnaswamy have done a good job of documenting this and other related issues in this I-D: http://tools.ietf.org/html/draft-ietf-dnsop-dnssec-roadblock-avoidance (And they are certainly open to comments and feedback on the draft.) Dan -- Dan York Senior Content Strategist, Internet Society y...@isoc.org<mailto:y...@isoc.org> +1-802-735-1624 Jabber: y...@jabber.isoc.org<mailto:y...@jabber.isoc.org> Skype: danyork http://twitter.com/danyork http://www.internetsociety.org/deploy360/
_______________________________________________ perpass mailing list perpass@ietf.org https://www.ietf.org/mailman/listinfo/perpass