Re: Securing DNS Re: IAB statement on the RPKI.

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Phillip Hallam-Baker wrote:

> The point is that the particular obsession with 'end to end' solutions
> means that we loose the ability to deploy architectures that provide
> greater protection against the attacks that actually matter.

FYI, there is no point to insist on 'end to end' here, because DNS,
including plain old one not necessarilly DNSSEC, is not end to end.

DNS servers are intermediate intelligent entities betweeen peers,
though the servers are operated zone administrators between peers,
which are, in general, not ISPs between peers.

The lack of end to end property makes DNS, including DNSSEC,
vulnerable to MitM attacks at intermediate zones.

Though DNS resolvers can be, to avoid cache poisoning, implemented
end to end between client hosts and DNS servers without intermediate
resolvers, it's end to end merely between the client hosts and the
DNS servers and not between the clients and application servers of
the clients.

						Masataka Ohta


_______________________________________________
Ietf mailing list
Ietf@xxxxxxxx
https://www.ietf.org/mailman/listinfo/ietf

[Index of Archives]     [IETF Annoucements]     [IETF]     [IP Storage]     [Yosemite News]     [Linux SCTP]     [Linux Newbies]     [Fedora Users]