Andrew, Again, my point --and concern-- is not how DNSSEC works or the statements we make about it when we are being careful. It is about people engaging in hyperbole of the nature of "you have DNSSEC, now you are safe" (with the implication of "from all sorts of attacks") or using other language that implies that the threats that you (and John L.) have identified. As an example, I've heard ISPs say things that a normal human being would interpret as "now that we have DNSSEC at our DNS servers, you are safe from phishing". The reality, of course, is that the trust relationships between my desktop (if it doesn't do its own validation) and that ISP's forwarding DNS server are, at best, complex (as others have pointed out as well) and that most of the key issues in phishing have nothing to do with anything DNSSEC addresses directly. As you point out, the protection gets stronger with out of bank knowledge of the types you identify, but the typical user doesn't have that knowledge, wouldn't know what to do with it if he or she did, and, so on. Most important, what they think the ISP is telling them is "you are safe now" and not "this is one more tool that, when added to others, caution, some skill, and good judgment, will considerably increase your resistance to attacks". The latter is certainly true. The former, at best, contributes to a dangerous and false sense of security. To summarize, I'm not concerned with the technology not working as designed. I'm concerned with a false advertising and perception problem, whether that is intentional or just carelessness. john --On Sunday, August 10, 2014 14:18 -0400 Andrew Sullivan <ajs@xxxxxxxxxxxxxxxxxx> wrote: > On Sun, Aug 10, 2014 at 05:35:03PM -0000, John Levine wrote: >> As far as I can tell, we don't have a good word to describe >> what DNSSEC does. > > Nonsense. "This data was not tampered with while in transit > from the authoritative server to you." That's what it does. > > That's not nothing, because DNS works over UDP and it has to > cope with all manner of caches not under your control and not > under the authoritative server's control. > > It's true that it doesn't prove to you that the authoritative > server hasn't been subverted. But that is no greater weakness > than you had before: if the authoritative server is subverted, > then it can also give you bad destination data. > > It's also true that it can't protect against collusion across > the zone cut: if the parent side of a zone cut (where a DS > goes) colludes with a hijacking child side (where the > corresponding DNSKEY goes), then the zone is well and truly > owned. > > If the desire is to have very strong end to end credentials, > then you can still actually detect this using DNSSEC and not > without it. You could have a strong certificate (like say an > X.509 one) that you trust. You can also know that the target > domain publishes its keys using DANE, so that you can check > that the key you expect is the key they're using. If you > don't get that when looking in the DNS, it would be prudent to > assume the domain has been subverted. > > But if you don't trust the parent side of the zone cut (which > is often called "the registry", particularly when it is in > control of the top-level domain), then no, you can't trust > that you got where you wanted. > > A