On 04/11/2014 02:57 AM, Theodore Ts'o wrote:
So to get a bad DS added you need to be a corrupt registry or a
corrupt employee of registry or you need to compromise the registrants
credentials or you need to succeed in transfering the zone to you.
Or you have to be the corrupt registry operator or an employee for the
registry operator (i.e., Verisign for the .com domain)....
But at least you have the option to switch away from the corrupt
registry operator. An expensive option, since it would involve changing
your domain names, but an option you don't have with x509 (well, you can
switch, but that doesn't protect you, which was the point). Far from
perfect, but for that specific problem much better than the current x509
model.
Jelte