[resent from proper address] Joe Abley (jabley) writes:
- if you suppress a response because validation fails, the result is largely indistinguishable from a broken cache - validation failures result in increased support costs for the ISP - there is no practical, deployed security between the cache and the stub resolver
[...]
However, if you validate in your application (or in the OS with a useful API available to applications):
- you can ascribe problems in validation to problems with a domain name, rather than problems with a cache
If this line of thinking becomes more prevalent, then we can expect to see Chrome/Mozilla/Safari/IE/name-your-app take up the validation workload. There are a relatively small number of vendors who would need to jump on board with this to see fairly widespread deployment, and they have incentives to do so other than protecting users (e.g. see DANE vs. the browser list).
Right, but it's going to take a little time before most applications validate or even check for TLSA/DANE, although there there is progress. See Tony Finch's recent draft for SMTP (http://tools.ietf.org/html/draft-fanf-dane-smtp-02) What should we do in the meantime ? I completely understand the rationale for *not* enabling DNSSEC validation at the moment, based on your arguments, but where does that leave the users ? Is it better to enable validation, protect the users and absorb the increased support cost, and even risk losing business ?
In this scenario, the barriers to widespread deployment of DNSSEC are a lack of zone signing, not a lack of validation on the part of ISPs, and zone signing in the absence of validation in ISP caches is not as pointless as it seems.
That's a very good point.
Incidentally, the nice people at NLNet Labs wrote a little package which allows you to run up a local copy of unbound and use it to validate from the end-user host. It's available for Windows and for the Mac, and it might be fun to play with if you're a user who is not also a systems administrator.
Very much recommended, yes. But until application and OS developers catch up, we'll need some interim solution. If the ISPs aren't the one to deploy it... Cheers, Phil