ietf
[Top] [All Lists]

Re: DNSSEC is NOT secure end to end (more tutorial than debating)

2009-06-05 05:21:38
Mark Andrews wrote:

Thus, we must, anyway, protect cache.

Then, where is the point to introduce DNSSEC only to have another
possibility of security holes?

We still lock doors and windows despite the possiblity of people
breaking in by lifting tiles.

I'm afraid DNSSEC people have been arguing against SCTP saying
DNSSEC is good enough.

Worse, though I have been warning for these 15 years that cached
glue may be used only for glue with same refferal, a broken
concept of bailiwick was introduced only to enable so called
Kaminsky attack.

Attacks at the registry level are the
equivalient of lifting tiles.  It happens sometimes. 

Protection of DNSSEC at the registy level is equivalent
to protection against lifting tiles. Not practical at all.

Locking the doors and windows stops most attacks however.

Then, let's lock the doors and windows first, before working on
DNSSEC.

                                                Masataka Ohta

_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf

<Prev in Thread] Current Thread [Next in Thread>