Thierry Moreau wrote:
(That is: You already trust the zones above you to maintain the
integrity of the zone on the *server*;
This assumption does not stand universally. For some DNS users/usage,
DNSSEC signature verification will be a must. The discussion implicitly
referred to such uses.
A problem of blindly believing a zone administration is that it is
only as secure as blindly believing an ISP administration.
Attacking a router of a large ISPs is as easy/difficult as attacking
a signature generation mechanism of a large zone.
Moreover, administration of LAN of a local organization (my universty,
for example) is as secure as administration of a zone local to the organization.
You can, for example, bribe a personnel or two, against which there
is no cryptographical protection, which means PKI is weakly secure.
Masataka Ohta
_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf