On May 28, 2009, at 5:47 AM, Alessandro Vesely wrote:
I don't trust the data because it is signed, I trust it because the signature proves that it originated from the authoritative server.
Not quite. The signature over the data proves that the holder of the private key has signed the data. The origin of that data then becomes irrelevant.
Therefore, if I'm connected with the authoritative server over a trusted channel, I can trust the data even if it isn't signed.
Not really. You are relying on the fact that the authoritative server and (potentially) the channels it uses to communicate to the originator of the data have not been compromised.
By induction, if a resolver only uses either signed data or trusted channels, I can trust it.
A trusted channel is superfluous when the data is signed.
The limitations in TCP or SCTP security stem from an attacker's ability to compromise one or more routers, so as to either tamper with the packets on the fly, or redirect them to some other host. That's much more difficult than forging the source address of an UDP packet, though.
True, but object security removes even the residual risk of channel compromise (e.g., a compromised router).
However, pragmatically speaking, I suspect it is going to be much, much easier to get DNSSEC deployed than it would be to get every router/firewall/NAT manufacturer and network operator to support/ deploy SCTP, not to mention getting every DNSSEC server to support DNS over SCTP.
Regards, -drc _______________________________________________ Ietf@xxxxxxxx https://www.ietf.org/mailman/listinfo/ietf