On Wed, 24 Oct 2012, Guangqing Deng wrote:
usage 0 TLSA record but not usage 2/3 TLSA records, which is discussed in other sections. So, the statement “even if a DNS operator falsifies DANE records, it cannot masquerade as the target server unless it can also obtain a certificate for the target domain” is correct.But it can, just by updating the A/AAAA record to a server it owns. What you pointed out is about the incorrect configuration of DNS resource records, which may be another story. Just as previously discussed in this mailing list, DNSSEC may add data integrity protection and data origin authentication but definitely not the trustworthiness for the DNS resource records that it protects. If the DNS operator is going to do something bad (such as incorrectly configuring DNS resource records) intentionally or unintentionally, DNSSEC cannot stop the DNS operator from doing that.
And if DNSSEC TLSA records claim things about PKIX, that can be changed too. So I still don't understand your point (or Mark's) Paul _______________________________________________ dane mailing list [email protected] https://www.ietf.org/mailman/listinfo/dane
