Phillip Hallam-Baker wrote: > I really see no value in debating whether DNSSEC is 'end to end'. Being end to end has practical benefits, which is why the Internet has been so successful, which is why some people have been insisting on a false statement that DNSSEC were secure end to end. For example, the following statement of you in another subthread: > The > current design would establish the root key holder as the perpetual > controller of the DNS. means DNSSEC involves the root key holder as a third party and not end to end. Feel free to see no value on your statements. > Clearly DNSSEC is only one component in a security solution and > whether it is 'end-to-end' depends on what you decide to call an > endpoint. According to the terminology of David Clark, DNSSEC is not end to end. > When Kaminsky discovered his cache poisoning vulnerability, some > companies put out PR saying that the issue was already known, as if > that made things better somehow. The issue is that the concept of "bailiwick" is broken, which was already pointed out. Kaminsky's attack can be protected against by proper handling of glue, without which DNSSEC cache can also be poisoned. Masataka Ohta _______________________________________________ Ietf@xxxxxxxx https://www.ietf.org/mailman/listinfo/ietf