I understand you don't want to go bolting extras into Perspectives, I was actually suggesting a second extension based on the Perspectives principal, and thought this may be the most suitable project to achieve it, due to the obvious parallel.
As DNS is not your area, maybe another visiting Dev will speak up.
Mostly I just want some feedback and to hit the idea with a few hammers, because the idea seems so simple it must have a massive hole I cannot see.
The only programmers I have been able to discuss this with, have been in person "IRL" (maybe I should do blog posts rather than forums).
The Devs at Avira said they like it and will contemplate it if they look at what to do with DNS. The feeling is that DNS is borked and needs a complete replacement. However in the mean-time I see we have no alternative, so where does that leave us right now ?
So far no body has given me a negative, or a reason why it would not work.They all say the same things (probably similar to people discovering Perspectives)
"Oh this seems like such an obvious/simple/cool idea, why is it not already standard if DNS poisoning still happens ?"
It is now standard for most browsers to validate certs and check for fishing and malware before allowing access. I see adding DNS validation as an unavoidable requirement.
As I'm no security expert, I don't know how deep an extension would need to probe.
So in my simple terms, I figured that it would not be required to go as far as Perspectives, as it only requires the 1 aspect, "Do all the DNS agree on the IP address ?".
You are not trying to validate an individual DNS capabilities, only test if you can trust the DNS.
It does not need to fetch or send anything other than what the browser is already asking for.
However an extension could then offer the user the option to navigate to the most agreed upon IP.
Different security settings could either automate, prompt or block access.
When a miss-match is spotted, a Whois check could be done for domain and IP (I use extensions already that pull the Whois data for any site I am on)
My suggestion is to pre-load with the open DNSSEC servers, and allow users to edit/add their own.
This helps to sort out 2 things.
1) starting with authenticating DNS will immediately use known robust independent networks.
2) allowing users to change them will increase the chance of spotting polluted networks.
In summation.
An extension like this could quickly report DNS poisoning without user intervention, while acting as a shield or guiding hand to an IP address.
It could even be a way to confirm that your ISP is blocking or redirecting you.
The only way we have to quickly confirm a domain/IP is ask a DNS.
The only way we have to quickly confirm a DNS is ask another DNS.
(I am not including Whois lookups in that generalisation, as speed is important)
OK.then, what have I missed ?
Does it need to gather more detailed info about a DNS or simply what it "regularly" responds with ?
I hope this prangs in someones mind at least, and I have planted another seed, while I crusade elsewhere ;)
(I did it with Metalinks hehe, and I'll damn-well do it again. I'm already on the way to getting the hashes commonly used on geeky DL sites, used as part of the Avira browser download and validation).
Thankyou for reading, and thankyou even more if you take the time to dissect.