On Sun, Aug 10, 2014 at 05:35:03PM -0000, John Levine wrote: > As far as I can tell, we don't have a good word to describe what > DNSSEC does. Nonsense. "This data was not tampered with while in transit from the authoritative server to you." That's what it does. That's not nothing, because DNS works over UDP and it has to cope with all manner of caches not under your control and not under the authoritative server's control. It's true that it doesn't prove to you that the authoritative server hasn't been subverted. But that is no greater weakness than you had before: if the authoritative server is subverted, then it can also give you bad destination data. It's also true that it can't protect against collusion across the zone cut: if the parent side of a zone cut (where a DS goes) colludes with a hijacking child side (where the corresponding DNSKEY goes), then the zone is well and truly owned. If the desire is to have very strong end to end credentials, then you can still actually detect this using DNSSEC and not without it. You could have a strong certificate (like say an X.509 one) that you trust. You can also know that the target domain publishes its keys using DANE, so that you can check that the key you expect is the key they're using. If you don't get that when looking in the DNS, it would be prudent to assume the domain has been subverted. But if you don't trust the parent side of the zone cut (which is often called "the registry", particularly when it is in control of the top-level domain), then no, you can't trust that you got where you wanted. A -- Andrew Sullivan ajs@xxxxxxxxxxxxxxxxxx