Sabahattin Gucukoglu wrote:
DNSsec, as far as I can see, does not use a PKI in the traditional
sense. There are _NO_ persons involved in the process,
FYI, zones are operated by people.
I can forge a key of your zone. I can, then, ask a person operating a
parent zone of yours to issue a valid signature over the forged key.
Yeah, but at least now we know the difference between the subversion
of the "Chain of trust" and some bloke with a packet sniffer.
It merely means that DNS depends on two chains of trust: one with
zones and another with ISPs.
As we know, ISPs are reasonablly trustable.
The point here is, we now have a way to verify the technical
functions we depend on today are working properly.
Indeed, DNSSEC technically verifies keys have valid signatures.
However, DNSSEC does not technically verify the valid signatures
are obtained legitimately.
Ietf mailing list