ietf
[Top] [All Lists]

RE: DNSSEC is NOT secure end to end

2009-06-05 13:40:01
On Wed, 3 Jun 2009, Christian Huitema wrote:

Also, it is actually possible to improve on DNSSEC by introducing additional knowledge. 
If two domains have an establish relation, their servers can memorize the relevant public 
keys. If a host has a relation with a domain, it can memorize that domain's public key. 
This kind of "peer-to-peer" improvement makes the domain-to-domain or 
host-to-domain DNSSEC service immune to attacks by nodes higher in the hierarchy.

How do you handle key changes? How do you determine if the key change
is performed by the domain holder or an attacker?

There is no reason for such a "leap of faith" caching. In fact, with
SSHFP records, we can also nail down that leap of faith for ssh finally :)

Paul
_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf