[resent from proper address]
Joe Abley (jabley) writes:
- if you suppress a response because validation fails, the result is largely
indistinguishable from a broken cache
- validation failures result in increased support costs for the ISP
- there is no practical, deployed security between the cache and the stub resolver
However, if you validate in your application (or in
the OS with a useful API available to applications):
- you can ascribe problems in validation to problems with a domain name, rather than
problems with a cache
If this line of thinking becomes more prevalent, then we can expect to see
Chrome/Mozilla/Safari/IE/name-your-app take up the validation workload. There are a
relatively small number of vendors who would need to jump on board with this to see fairly
widespread deployment, and they have incentives to do so other than protecting users (e.g.
see DANE vs. the browser list).
Right, but it's going to take a little time before most applications
validate or even check for TLSA/DANE, although there there is progress.
See Tony Finch's recent draft for SMTP
What should we do in the meantime ? I completely understand the rationale
for *not* enabling DNSSEC validation at the moment, based on your
arguments, but where does that leave the users ? Is it better to enable
validation, protect the users and absorb the increased support cost, and
even risk losing business ?
In this scenario, the barriers to widespread
deployment of DNSSEC are a lack of zone signing, not a lack of validation on the part of
ISPs, and zone signing in the absence of validation in ISP caches is not as pointless as
That's a very good point.
Incidentally, the nice people at NLNet Labs wrote a
little package which allows you to run up a local copy of unbound and use it to validate
from the end-user host. It's available for Windows and for the Mac, and it might be
fun to play with if you're a user who is not also a systems administrator.
Very much recommended, yes.
But until application and OS developers catch up, we'll need some interim
solution. If the ISPs aren't the one to deploy it...