On 2/27/15 3:40 PM, Sam Hartman wrote: >>>>>> "Eliot" == Eliot Lear <lear@xxxxxxxxx> writes: > > Eliot> DNSSEC: it's not just for breakfast anymore. > > I've mentioned this before, but DNSSec is not really a complete answer > here. > DNSSec is only an appropriate answer when the set of DNS trust anchors > are appropriate to the information being protected. > > Today, I expect for many applications that the information entered by > the user will be validated against an application-specific set of trust > anchors. If DNS is trusted to make decisions about what my target > security principal can be, then the DNS trust anchors become part of > that trusted set. For a number of enterprise applications that's really > bad from a security standpoint. You imply that somehow DNS has a separate decision process from the application. Why is that? Eliot
Attachment:
signature.asc
Description: OpenPGP digital signature