ietf
[Top] [All Lists]

Re: (short version) Re: Last Call: <draft-faltstrom-uri-10.txt> (The Uniform Resource Identifier (URI) DNS Resource Record) to Proposed Standard

2015-02-27 10:13:41
"Eliot" == Eliot Lear <lear(_at_)cisco(_dot_)com> writes:


    Eliot> DNSSEC: it's not just for breakfast anymore.

I've mentioned this before, but DNSSec is not really a complete answer
here.
DNSSec is only an appropriate answer when the set of DNS trust anchors
are appropriate to the information being protected.

Today, I expect for many applications that the information entered by
the user will be validated against an application-specific set of trust
anchors.  If DNS is trusted to make decisions about what my target
security principal can be, then the DNS trust anchors become part of
that trusted set.  For a number of enterprise applications that's really
bad from a security standpoint.

For other applications, this is a great technology and DNSSec is a
reasonable way to protect it.

<Prev in Thread] Current Thread [Next in Thread>