David Conrad wrote:
You are aware, of course, that some ISPs are actively engaging
in DNS response modification, right?
Ignoring for a second that the Internet isn't the telephony system
(intelligence in the network is in different places),
OK. You are saying that any network with intermediate intelligence
to modify DNS responses is not a part of the Internet.
I agree with you.
That is, we agree that ISPs in your first statement are not really
Note that it does not affect resemrance of weak security models of
the Internet and the telephone network.
there have been MITM attacks against the telephony system.
There will be MITM attacks (by a man who operate a CA in the middle
of a CA chain) against DNSSEC. So?
Cache poisoning is ALSO a result of the fact that the path
between source and destination is not protected.
As cache poisoning can occur with poorly implemented DNSSEC
(e.g. with implementations which imprecisely check signatures)
that you should conclude that DNSSEC dose not protect the path
between source and destination.
DNSSEC does not give any protection to the CA path between
source and destination, anyway.
Ietf mailing list