> > Yes, security of DNSSEC is totally hop by hop. > > > > Thus, you imply a definition of hop by hop along digital signature > relationships. Indeed, DNSSEC security is limited to the weakest link > along the chain from the bottom to the top of the DNS hierarchy. Nothing > new there. I don't think any DNSSEC expert ever claimed differently. Even in the presence of the "attack by a trusted party", there are still huge differences between DNSSEC and "transport-hop-by-transport-hop" security. Transport based solution, SCTP or TCP, are open to attacks by any party in the path between two hops -- NAT routers come to mind. DNSSEC is immune to such attacks, a big advantage in practice. Also, it is actually possible to improve on DNSSEC by introducing additional knowledge. If two domains have an establish relation, their servers can memorize the relevant public keys. If a host has a relation with a domain, it can memorize that domain's public key. This kind of "peer-to-peer" improvement makes the domain-to-domain or host-to-domain DNSSEC service immune to attacks by nodes higher in the hierarchy. -- Christian Huitema _______________________________________________ Ietf@xxxxxxxx https://www.ietf.org/mailman/listinfo/ietf