First, DNSSEC does not provide confidentiality. Given that, it's not clear to me why the NSA would try to stop or slow its deployment.
If it isn't, then you haven't considered its likely effects. First of all, it makes CA's visibly redundant. If people stop using CA's that multiplies the number of channels that must be compromised in order to eavesdrop. Furthermore, it makes those channels parties actually interested in the authenticity of the communications, such as the companies whose keys are being authenticated. In short, it means the NSA would have to deal directly with the people they want to eavesdrop on. That makes reaching a covert deal to expose keys a bit more difficult, I'm thinking. Secondly, it is the case that a DNS cache poisoning attack is an occasionally useful technique allowing attackers to access things that some people would rather they didn't access. Such attackers may or may not, apparently, include the NSA themselves, and if they depend on that capability, then DNSSEC could be seen by them as a threat against a useful channel for obtaining information. Bear _______________________________________________ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography
