[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Evaluation: draft-ietf-dnsext-ad-is-secure

To: "Jeffrey I. Schiller" <jis@mit.edu>
Subject: Re: Evaluation: draft-ietf-dnsext-ad-is-secure
From: Randy Bush <randy@psg.com>
Date: Thu, 10 Jul 2003 21:01:25 +0200
Cc: "Steven M. Bellovin" <smb@research.att.com>, Rob Austein <sra@hactrn.net>, iesg@ietf.org
References: <20030710012019.4FB507B4D@berkshire.research.att.com><3F0CD2F7.9020406@mit.edu><E19agAX-0003uN-Ku@roam.psg.com><3F0DB722.6010409@mit.edu>

> Whats worse then insecure DNS is something marketed as "Secure" DNS that 
> isn't....

   The AD bit SHOULD be used by the local resolver if and only if it has
   been explicitly configured to trust the remote resolver.  The AD bit
   SHOULD be ignored when the remote resolver is not trusted.

we give you the gun.  your choice to use it.

neither smb nor i were happy with this document.  but no one saw a
really good way to do this.

randy

Follow-Ups:
- Re: Evaluation: draft-ietf-dnsext-ad-is-secure
  - From: "Jeffrey I. Schiller" <jis@mit.edu>

References:
- Re: Evaluation: draft-ietf-dnsext-ad-is-secure
  - From: "Steven M. Bellovin" <smb@research.att.com>
- Re: Evaluation: draft-ietf-dnsext-ad-is-secure
  - From: "Jeffrey I. Schiller" <jis@mit.edu>
- Re: Evaluation: draft-ietf-dnsext-ad-is-secure
  - From: Randy Bush <randy@psg.com>
- Re: Evaluation: draft-ietf-dnsext-ad-is-secure
  - From: "Jeffrey I. Schiller" <jis@mit.edu>

Prev by Date: Re: Evaluation: draft-ietf-dnsext-ad-is-secure
Next by Date: jabber identity
Previous by thread: Re: Evaluation: draft-ietf-dnsext-ad-is-secure
Next by thread: Re: Evaluation: draft-ietf-dnsext-ad-is-secure
Index(es):
- Date
- Thread