Thierry Moreau wrote: >> (That is: You already trust the zones above you to maintain the >> integrity of the zone on the *server*; > This assumption does not stand universally. For some DNS users/usage, > DNSSEC signature verification will be a must. The discussion implicitly > referred to such uses. A problem of blindly believing a zone administration is that it is only as secure as blindly believing an ISP administration. Attacking a router of a large ISPs is as easy/difficult as attacking a signature generation mechanism of a large zone. Moreover, administration of LAN of a local organization (my universty, for example) is as secure as administration of a zone local to the organization. You can, for example, bribe a personnel or two, against which there is no cryptographical protection, which means PKI is weakly secure. Masataka Ohta _______________________________________________ Ietf@xxxxxxxx https://www.ietf.org/mailman/listinfo/ietf