Re: DNSSEC is NOT secure end to end (more tutorial than debating)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Mark Andrews wrote:

>>A problem of blindly believing a zone administration is that it is
>>only as secure as blindly believing an ISP administration.
>>
>>Attacking a router of a large ISPs is as easy/difficult as attacking
>>a signature generation mechanism of a large zone.

> 	The difference is we *have* to trust the zone administration.

Zone administration involves multiple operations.

Though we have to trust the zone administration put correct referral
and glue data in a master zone file, unless we use DNSSEC, we don't
have to trust the zone administration never issue certificates over
forged keys of child zones.

You know, the former operation is much simpler, thus more secure,
than the latter.

						Masataka Ohta

_______________________________________________

Ietf@xxxxxxxx
https://www.ietf.org/mailman/listinfo/ietf

[Index of Archives]     [IETF Annoucements]     [IETF]     [IP Storage]     [Yosemite News]     [Linux SCTP]     [Linux Newbies]     [Fedora Users]