Re: [saag] What does DNSSec protect? (Re: Last Call: <draft-dukhovni-opportunistic-security-01.txt> (Opportunistic Security: some protection most of the time) to Informational RFC)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

all  of this is true… ONLY to the extent that you have, in your possession and properly configured (AT YOUR OWN NODE)
a verified Trust Anchor - AND if the chain of custody terminates at one of the Trust Anchors you have configured.

Almost the same model as the CA keys stored in your browser…  

A presumptive is that folks will care for and actively manage their Trust Anchors.   Just like folks care for and actively
manage their Browser Certificates.

As usual, YMMV and your vendor may or may not agree with your trust profile or allow you to set it.

/bill


On 9August2014Saturday, at 14:34, Donald Eastlake <d3e3e3@xxxxxxxxx> wrote:

> Just to point out that DNSSEC authenticates data even in the case of
> null data; that is, it provide authenticated denial of the existence
> of data.
> 
> Thanks,
> Donald
> =============================
> Donald E. Eastlake 3rd   +1-508-333-2270 (cell)
> 155 Beaver Street, Milford, MA 01757 USA
> d3e3e3@xxxxxxxxx
> 
> 
> On Sat, Aug 9, 2014 at 1:03 PM, Paul Wouters <paul@xxxxxxxxx> wrote:
>> On Sat, 9 Aug 2014, Dave Crocker wrote:
>> 
>>> Data integrity is an important side-effect of crypto signing
>>> methodology.  However I'm not used to seeing it classed as the primary
>>> purpose of DNSSec, with no mention of authentication.
>> 
>> 
>> In the mid ninetees when dnssec was worked on, there were two camps. The
>> DNS people who wanted to only secure DNS and explicitely did NOT
>> want the DNS to become a PKI. And those that mainly wanted secure
>> DNS to make a new PKI (eg Gilmore and the FreeS/WAN people). This
>> fight continued throughout, and is the reason KEY/SIG/NXT changed to
>> DNSKEY/RRSIG/NSEC. The change dictated those records were for DNS only
>> and not for use by applications as PKI.
>> 
>> So the PKI people had to silently go along with the DNS people to
>> write and deploy DNSSEC, so that they could add their RRTYPE's for a
>> PKI later even if the DNS people hated the idea. That is why you don't
>> see it listed anywhere in any document as a purpose of DNSSEC.
>> 
>> Paul
>> 
>> 
>> _______________________________________________
>> saag mailing list
>> saag@xxxxxxxx
>> https://www.ietf.org/mailman/listinfo/saag
>
[Index of Archives]     [IETF Annoucements]     [IETF]     [IP Storage]     [Yosemite News]     [Linux SCTP]     [Linux Newbies]     [Fedora Users]