Sabahattin Gucukoglu wrote: >>>DNSsec, as far as I can see, does not use a PKI in the traditional >>>sense. There are _NO_ persons involved in the process, >> >>FYI, zones are operated by people. >> >>I can forge a key of your zone. I can, then, ask a person operating a >>parent zone of yours to issue a valid signature over the forged key. > Yeah, but at least now we know the difference between the subversion > of the "Chain of trust" and some bloke with a packet sniffer. It merely means that DNS depends on two chains of trust: one with zones and another with ISPs. As we know, ISPs are reasonablly trustable. > The point here is, we now have a way to verify the technical > functions we depend on today are working properly. That's pointless. Indeed, DNSSEC technically verifies keys have valid signatures. However, DNSSEC does not technically verify the valid signatures are obtained legitimately. Masataka Ohta _______________________________________________ Ietf mailing list Ietf@xxxxxxxx https://www.ietf.org/mailman/listinfo/ietf