Re: [ietf] DNS spoofing at captive portals

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On 28 Sep 2010, at 02:20, Phillip Hallam-Baker <hallam@xxxxxxxxx> wrote:
On Mon, Sep 27, 2010 at 10:48 AM, Tony Finch <dot@xxxxxxxx> wrote:
On Fri, 24 Sep 2010, Phillip Hallam-Baker wrote:
>
> DNSSEC is a mechanism for establishing inter-domain trust. It is not an
> appropriate technology for intra-domain trust.

Why not?

Because the root of trust for any enterprise is the enterprise itself. Not ICANN.

DNSSEC does not require you to use only ICANN's trust anchor. You can also use your enterprise trust anchor, so you can validate your enterprise DNS independently of any third party.

(The keyassure work might make this approach to key distribution easier than running an enterprise X.509 CA. DNSSEC also has the advantage of a defined trust anchor rollover protocol.)

You can also use third party trust anchors such as the ISC's DLV.

Tony.
--
f.anthony.n.finch  <dot@xxxxxxxx>  http://dotat.at/
_______________________________________________
Ietf mailing list
Ietf@xxxxxxxx
https://www.ietf.org/mailman/listinfo/ietf
[Index of Archives]     [IETF Annoucements]     [IETF]     [IP Storage]     [Yosemite News]     [Linux SCTP]     [Linux Newbies]     [Fedora Users]