On Wed, Nov 27, 2013 at 3:34 PM, Nico Williams <n...@cryptonector.com> wrote: > On Wed, Nov 27, 2013 at 08:01:19PM +0000, Stephen Farrell wrote: >> On 11/27/2013 06:58 PM, Nico Williams wrote: >> > [...] >> > >> The problem with DANE is the lack of DNSSEC. If we had both [...] > > When I refer to DANE, I also mean that DNSSEC must be there. We're > getting there. Isn't the key distribution problem being pushed into DNS? The underlying problem still exists.
Perhpas we could have higher confidence in DNS if it was not controlled by the US. A diversification strategy won't work when 10 or so of the 13 servers are required to give bad answers. That is, cross checking A (Verisign) with, for example, E, F, G, and H (ISC, GOV and DoD) won't validate anything. And getting an authentic answer from a non-US controlled server is another problem altogether. Jeff _______________________________________________ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography