On Monday, July 13, 2015 11:47 AM, Viktor Dukhovni wrote > On Mon, Jul 13, 2015 at 02:36:18PM -0400, Sam Hartman wrote: > > > I have never been convinced that DNSsec validation of A or AAAA > > records has value. I understand I am a heretic in the security > > community for saying that, but there it is. > > I'm inclined to agree that the value is marginal. > > ... > > Forging IP address records in DNS is rather tamper-evident. It is far more > attractive to attack BGP, and MiTM or just monitor the traffic transparently. Consider the use case. The hot spot controls the default router, and often implements a NAT. They can decide to terminate the A or AAAA address wherever they please. The value of ensuring proper name to address resolution is indeed marginal. -- Christian Huitema