--On Friday, September 06, 2013 10:43 -0400 Joe Abley <jabley@xxxxxxxxxxx> wrote: >> Can someone please tell me that BIND isn't being this stupid? > > This thread has mainly been about privacy and confidentiality. > There is nothing in DNSSEC that offers either of those, > directly (although it's an enabler through approaches like > DANE to provide a framework for secure distribution of > certificates). If every zone was signed and if every response > was validated, it would still be possible to tap queries and > tell who was asking for what name, and what response was > returned. Please correct me if I'm wrong, but it seems to me that DANE-like approaches are significantly better than traditional PKI ones only to the extent to which: - The entities needing or generating the certificates are significantly more in control of the associated DNS infrastructure than entities using conventional CAs are in control of those CAs. - For domains that are managed by registrars or other third parties (I gather a very large fraction of them at the second level), whether one believes those registrars or other operators have significantly more integrity and are harder to compromise than traditional third party CA operators. best, john