against dnssec
Björn Persson
Bjorn at xn--rombobjrn-67a.se
Sun Jan 18 18:03:11 UTC 2015
Neal Becker wrote:
>This quote caught my attention:
>
>DNSSEC deployment guides go so far as to recommend against deployment
>of DNSSEC validation on end-systems.
Where are those guides, who wrote them, and what are their arguments
against local validation?
>So significant is the inclination
>against extending DNSSEC all the way to desktops that an additional
>protocol extension (TSIG) was designed in part to provide that
>capability.
TSIG requires the client to trust that the server performs the
validation correctly and doesn't lie about it. It may be useful within
an organization where the same group of administrators control both
servers and clients, but not on a laptop that connects to random
hotspots.
--
Björn Persson
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signatur
URL: <http://lists.fedoraproject.org/pipermail/devel/attachments/20150118/32dca160/attachment.sig>
More information about the devel
mailing list