On Nov 26, 2009, at 8:37 AM, Paul Vixie wrote:
From: David Conrad <drc@virtualized.org> Date: Thu, 26 Nov 2009 07:42:15 -0800
As you know, as long as people rely on their ISPs for resolution services, DNSSEC isn't going to help. Where things get really offensive if when the ISPs _require_ customers (through port 53 blocking, T-Mobile Hotspot, I'm looking at you) to use the ISP's resolution services.
the endgame for provider-in-the-middle attacks is enduser validators, which is unfortunate since this use case is not well supported by current DNSSEC and so there's some more protocol work in our future ("noooooooooooo!!").
Why not simply run a validating resolver locally?
i also expect to see DNS carried via HTTPS, which providers tend to leave alone since they don't want to hear from the lawyers at 1-800-flowers.com. (so, get ready for https://ns.vix.com/dns/query/www.vix.com/in/a&rd=1&ad=1).
To quote you, "noooooooooooo!!" At some point, we may as well bite the bullet and redefine http{,s} as IPv7. Regards, -drc