Re: DNSSEC is NOT secure end to end

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



As a disinterested third party...

On Mon Jun  1 16:09:39 2009, Mark Andrews wrote:
> Totally different from DNSSEC which indeed uses chains of trust - i.e. root
> to tld to sld etc.etc.

	And DNSCurve uses chains of trust from root servers to tld
	servers to sld servers etc. etc.

After skimming DNSCurve to get the general idea, I agree with Mark here. I don't see any particular way in which the NS records (which specify the keys) from the parent are themselves validated, other than by trusting the parent domain's nameservers, which essentially means they give equivalent protection to DNSSEC from that standpoint.

I did wonder whether there was additional scope for "leap of faith", but I'm not sure even that exists.

Moreover, since DNSCurve only operates hop-by-hop, rather than end-to-end (in the sense of the DNS resolution process as a whole) it relies on a hop-by-hop trust arrangement. In particular, my servers here would have to use either a trusted resolver, or no resolver at all.

I do note that DNSCurve looks like a neat hack, just one that, on closer inspection, turns out to have no obvious benefits in this particular respect.

Dave.
--
Dave Cridland - mailto:dave@xxxxxxxxxxxx - xmpp:dwd@xxxxxxxxxxxxxxxxx
 - acap://acap.dave.cridland.net/byowner/user/dwd/bookmarks/
 - http://dave.cridland.net/
Infotrope Polymer - ACAP, IMAP, ESMTP, and Lemonade
_______________________________________________

Ietf@xxxxxxxx
https://www.ietf.org/mailman/listinfo/ietf

[Index of Archives]     [IETF Annoucements]     [IETF]     [IP Storage]     [Yosemite News]     [Linux SCTP]     [Linux Newbies]     [Fedora Users]