David Conrad wrote: > You are aware, of course, that some ISPs are actively engaging > in DNS response modification, right? > Ignoring for a second that the Internet isn't the telephony system > (intelligence in the network is in different places), OK. You are saying that any network with intermediate intelligence to modify DNS responses is not a part of the Internet. I agree with you. That is, we agree that ISPs in your first statement are not really ISPs. Note that it does not affect resemrance of weak security models of the Internet and the telephone network. > there have been MITM attacks against the telephony system. There will be MITM attacks (by a man who operate a CA in the middle of a CA chain) against DNSSEC. So? > Cache poisoning is ALSO a result of the fact that the path > between source and destination is not protected. OK. As cache poisoning can occur with poorly implemented DNSSEC (e.g. with implementations which imprecisely check signatures) that you should conclude that DNSSEC dose not protect the path between source and destination. DNSSEC does not give any protection to the CA path between source and destination, anyway. Masataka Ohta _______________________________________________ Ietf mailing list Ietf@xxxxxxxx https://www.ietf.org/mailman/listinfo/ietf