Re: DNSSEC is NOT secure end to end (more tutorial than debating)

ietf

Re: DNSSEC is NOT secure end to end (more tutorial than debating)

2009-06-02 12:12:06



Richard Barnes wrote:

(That is: You already trust the zones above you to maintain theintegrity of the zone on the *server*;

This assumption does not stand universally. For some DNS users/usage,DNSSEC signature verification will be a must. The discussion implicitlyreferred to such uses.

Then, it is legitimate to appraise the overall confidence in the DNSSECchain of signatures, and to pinpoint the weakest link (e.g. the zonemanager having the greatest likelihood of lousy private key protectionin place).

Indeed, DNS+DNSSEC is no different from plain DNS for those who aresatisfied with the plain DNS. For those awaiting DNS+DNSSEC for someuses, it is useful to understand DNSSEC chains of digital signatures.

Accesssorily, the zones "above you" means nothing to a relying partythat is not validating its own domain.


Regards,

--

- Thierry Moreau

_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf

[More with this subject...]

<Prev in Thread]	Current Thread	[Next in Thread>
Re: DNSSEC is NOT secure end to end, (continued) Re: DNSSEC is NOT secure end to end, Masataka Ohta Re: DNSSEC is NOT secure end to end, Thierry Moreau Re: DNSSEC is NOT secure end to end, Masataka Ohta Re: [Asrg] DNSSEC is NOT secure end to end, Christian Huitema Re: DNSSEC is NOT secure end to end, Masataka Ohta RE: DNSSEC is NOT secure end to end, Paul Wouters Re: [Asrg] DNSSEC is NOT secure end to end, Doug Otis Re: DNSSEC is NOT secure end to end, Richard Barnes Re: DNSSEC is NOT secure end to end (more tutorial than debating), Thierry Moreau Re: DNSSEC is NOT secure end to end (more tutorial than debating), Richard Barnes Re: DNSSEC is NOT secure end to end (more tutorial than debating), Thierry Moreau <= Re: DNSSEC is NOT secure end to end (more tutorial than debating), Masataka Ohta Re: DNSSEC is NOT secure end to end (more tutorial than debating), Paul Wouters Re: DNSSEC is NOT secure end to end (more tutorial than debating), Mark Andrews Re: DNSSEC is NOT secure end to end (more tutorial than debating), Paul Wouters Re: DNSSEC is NOT secure end to end (more tutorial than debating), Mark Andrews Re: DNSSEC is NOT secure end to end (more tutorial than debating), Michael StJohns Re: DNSSEC is NOT secure end to end (more tutorial than debating), Mark Andrews Re: DNSSEC is NOT secure end to end (more tutorial than debating), Masataka Ohta Re: DNSSEC is NOT secure end to end (more tutorial than debating), Andrew Sullivan Re: DNSSEC is NOT secure end to end (more tutorial than debating), Masataka Ohta

Previous by Date:	Re: [Unicode Announcement] New Public Review Issue #147: Proposed Deprecation of U+0673 ARABIC LETTER ALEF WITH WAVY HAMZA BELOW, Mark Davis
Next by Date:	Re: [Asrg] DNSSEC is NOT secure end to end, Paul Wouters
Previous by Thread:	Re: DNSSEC is NOT secure end to end (more tutorial than debating), Richard Barnes
Next by Thread:	Re: DNSSEC is NOT secure end to end (more tutorial than debating), Masataka Ohta
Indexes:	[Date] [Thread] [Top] [All Lists]