Thierry Moreau wrote: >>>> That is, security of DNSSEC involves third parties and is not end >>>> to end. > This is exactly like a chain of PKI CA's (replacing the path from bottom > to top of zone hierarchy): > Exactly the same with a compromised intermediate CA. > Exactly the same with a private key corresponding to the next > intermediate CA along the chain (i.e. the one certified by the The paper of David Clark says PKI is not secure end to end. Some tried to argue against by saying DNSSEC is so special that it is secure end to end. But, as you can observe, DNSSEC is no special and not secure end to end. > I don't think any DNSSEC expert ever claimed differently. I am the DNSSEC expert and see some people having a lot less expertise than me says DNSSEC secure end to end. They are incorrect or using different terminology on "end to end" not acceptable to the Internet community. Masataka Ohtqa _______________________________________________ Ietf@xxxxxxxx https://www.ietf.org/mailman/listinfo/ietf