Mark Andrews wrote: >>A problem of blindly believing a zone administration is that it is >>only as secure as blindly believing an ISP administration. >> >>Attacking a router of a large ISPs is as easy/difficult as attacking >>a signature generation mechanism of a large zone. > The difference is we *have* to trust the zone administration. Zone administration involves multiple operations. Though we have to trust the zone administration put correct referral and glue data in a master zone file, unless we use DNSSEC, we don't have to trust the zone administration never issue certificates over forged keys of child zones. You know, the former operation is much simpler, thus more secure, than the latter. Masataka Ohta _______________________________________________ Ietf@xxxxxxxx https://www.ietf.org/mailman/listinfo/ietf