Phillip Hallam-Baker wrote:
The point is that the particular obsession with 'end to end' solutions
means that we loose the ability to deploy architectures that provide
greater protection against the attacks that actually matter.
FYI, there is no point to insist on 'end to end' here, because DNS,
including plain old one not necessarilly DNSSEC, is not end to end.
DNS servers are intermediate intelligent entities betweeen peers,
though the servers are operated zone administrators between peers,
which are, in general, not ISPs between peers.
The lack of end to end property makes DNS, including DNSSEC,
vulnerable to MitM attacks at intermediate zones.
Though DNS resolvers can be, to avoid cache poisoning, implemented
end to end between client hosts and DNS servers without intermediate
resolvers, it's end to end merely between the client hosts and the
DNS servers and not between the clients and application servers of
Ietf mailing list