> That is, security of DNSSEC involves third parties and is not end > to end. That is indeed correct. An attacker can build a fake hierarchy of "secure DNS" assertions and try to get it accepted. The attack can succeed with the complicity of one of the authorities in the hierarchy. It is a classic "attack by a trusted party". Problem is, hop-by-hop security will not protect against an attack by an intermediate authority. If an intermediate authority has been compromised, it can just as well insert a fake NS record -- that's not harder than a fake record signature. Hop-by-hop security will securely connect to the wrong name server, to which the wrong NS record points... -- Christian Huitema _______________________________________________ Ietf@xxxxxxxx https://www.ietf.org/mailman/listinfo/ietf