[dns-wg] Re: Swedish ISP TCD Song Adopts DNSSEC
- Previous message (by thread): [dns-wg] Re: Swedish ISP TCD Song Adopts DNSSEC
- Next message (by thread): [dns-wg] Re: Swedish ISP TCD Song Adopts DNSSEC
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Doug Barton
dougb at dougbarton.us
Tue Feb 13 19:48:31 CET 2007
Max Tulyev wrote:
> We (NetAssist, Kiev, Ukraine) did it a year ago (RIPE backresolve, .se,
> .ru, .net, .com as well as ISC's DLV checking).
I think this is a great move. Have you had any feedback from your users?
> In general, I don't believe in practical usage of this implementation,
> because of you can do a DNS attack on the client's resolver directly.
>
> But I see significant decrease of spam after DNSSEC implementation. I
> believe it can happens because of wise spammers can't cheat backresolve
> and blacklists checks anymore.
How is the information about whether the RRsets are signed and/or
validated, or not, getting back to the clients? IOW, if I'm a piece of
anti-spam software, how do I know that the answer I received is signed
and validated?
I ask because IMO this is actually the more difficult part of DNSSEC
deployment. We have the stuff to sign the zones, but figuring out how
to use the signature data (or lack thereof) is a whole new kettle of
fish.
Doug
--
If you're never wrong, you're not trying hard enough
- Previous message (by thread): [dns-wg] Re: Swedish ISP TCD Song Adopts DNSSEC
- Next message (by thread): [dns-wg] Re: Swedish ISP TCD Song Adopts DNSSEC
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
[ dns-wg Archives ]