ietf-asrg
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: DNSSEC is NOT secure end to end (more tutorial than debating)

2009-06-03 02:29:43
from [Masataka Ohta] [Permanent Link] 
Mark Andrews wrote:


A problem of blindly believing a zone administration is that it is
only as secure as blindly believing an ISP administration.

Attacking a router of a large ISPs is as easy/difficult as attacking
a signature generation mechanism of a large zone.



      The difference is we *have* to trust the zone administration.


Zone administration involves multiple operations.

Though we have to trust the zone administration put correct referral
and glue data in a master zone file, unless we use DNSSEC, we don't
have to trust the zone administration never issue certificates over
forged keys of child zones.

You know, the former operation is much simpler, thus more secure,
than the latter.

                                                Masataka Ohta

_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: DNSSEC is NOT secure end to end (more tutorial than debating), Mark Andrews
Next by Date:  Re: DNSSEC is NOT secure end to end, Masataka Ohta
Previous by Thread:  Re: DNSSEC is NOT secure end to end (more tutorial than debating), Mark Andrews
Next by Thread:  Re: [Asrg] DNSSEC is NOT secure end to end, Paul Wouters
Indexes:  [Date] [Thread] [Top] [All Lists]