On Thu, Sep 12, 2013 at 04:46:01PM +0000, Ted Lemon wrote:
The model for this sort of validation is really not on a per-client
basis, but rather depends on routine cross-validation by various
DNSSEC operators throughout the network. This will not necessarily
catch a really focused attack, so it's not a panacea, but it would
limit the scope of the threat for this sort of attack.
Fair enough, but if the goal is to prevent pervasive surveillance,
simply using a key exchange which provides perfect forward secrecy
will do that, even given the pathetic state of https security given
the realities of the web and the CA's out there.
Still, I agree with the general precept that perfect should not enemy
of the better, and DNSSEC certainly adds value. I just get worried
about people who seem to think that DNSSEC is a panacea.
- Ted