ietf
[Top] [All Lists]

Re: DNSSEC is NOT secure end to end

2009-06-02 19:33:56
Thierry Moreau wrote:

That is, security of DNSSEC involves third parties and is not end
to end.

This is exactly like a chain of PKI CA's (replacing the path from bottom 
to top of zone hierarchy):

Exactly the same with a compromised intermediate CA.

Exactly the same with a private key corresponding to the next 
intermediate CA along the chain (i.e. the one certified by the 

The paper of David Clark says PKI is not secure end to end.

Some tried to argue against by saying DNSSEC is so special that
it is secure end to end.

But, as you can observe, DNSSEC is no special and not secure end
to end.

I don't think any DNSSEC expert ever claimed differently.

I am the DNSSEC expert and see some people having a lot less
expertise than me says DNSSEC secure end to end.

They are incorrect or using different terminology on "end to end"
not acceptable to the Internet community.

                                                Masataka Ohtqa


_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf