Yes, security of DNSSEC is totally hop by hop.
Thus, you imply a definition of hop by hop along digital signature
relationships. Indeed, DNSSEC security is limited to the weakest link
along the chain from the bottom to the top of the DNS hierarchy. Nothing
new there. I don't think any DNSSEC expert ever claimed differently.
Even in the presence of the "attack by a trusted party", there are still huge
differences between DNSSEC and "transport-hop-by-transport-hop" security.
Transport based solution, SCTP or TCP, are open to attacks by any party in the
path between two hops -- NAT routers come to mind. DNSSEC is immune to such
attacks, a big advantage in practice.
Also, it is actually possible to improve on DNSSEC by introducing additional
knowledge. If two domains have an establish relation, their servers can
memorize the relevant public keys. If a host has a relation with a domain, it
can memorize that domain's public key. This kind of "peer-to-peer" improvement
makes the domain-to-domain or host-to-domain DNSSEC service immune to attacks
by nodes higher in the hierarchy.
-- Christian Huitema
_______________________________________________
Asrg mailing list
Asrg(_at_)irtf(_dot_)org
http://www.irtf.org/mailman/listinfo/asrg