Long response for a non-authoritative answers

[Brad Knowles]

At 9:24 PM -0600 9/20/01, Cricket Liu wrote:

>  I thought of the previous behavior as, "I just asked the authoritative
>  name servers, so the response it still authoritative" (by some sort of
>  DNS transitivity, I guess).  Specifying non-recursive queries never
>  bothered me.

	After thinking about this, it occurs to me that it should be much 
harder to pass on a poisoned cache if the authoritative answer is 
first stored in the cache, and then the answer is provided from the 
cache non-authoritatively.


	I recently heard that the original purpose of the DNSSEC stuff 
was to be able to use cryptographic methods to avoid cache poisoning.

	IMO, there are more basic things that should be done first before 
attempting to use cryptography to help us solve this problem, such as 
getting all the TLD servers around the world to turn off recursion 
(especially servers like ns.eu.net, which is authoritative for 
something like 70 zones).

	However, I do feel that DNSSEC is ideally suited to serving a 
higher purpose, namely being able to provide cryptographically strong 
certification that some object really is what it claims to be, and 
you can prove this by following the chain of certifications down from 
the root.  But this doesn't really have much of anything to do with 
cache poisoning.

-- 
Brad Knowles, <brad.knowles at skynet.be>

H4sICIFgXzsCA2RtYS1zaWcAPVHLbsMwDDvXX0H0kkvbfxiwVw8FCmzAzqqj1F4dy7CdBfn7
Kc6wmyGRFEnvvxiWQoCvqI7RSWTcfGXQNqCUAnfIU+AT8OZ/GCNjRVlH0bKpguJkxiITZqes
MxwpSucyDJzXxQEUe/ihgXqJXUXwD9ajB6NHonLmNrUSK9nacHQnH097szO74xFXqtlbT3il
wMsBz5cnfCR5cEmci0Rj9u/jqBbPeES1I4PeFBXPUIT1XDSOuutFXylzrQvGyboWstCoQZyP
dxX4dLx0eauFe1x9puhoi0Ao1omEJo+BZ6XLVNaVpWiKekxN0VK2VMpmAy+Bk7ZV4SO+p1L/
uErNRS/qH2iFU+iNOtbcmVt9N16lfF7tLv9FXNj8AiyNcOi1AQAA