On Mon, 28 Jul 2014, Rene Bartsch wrote:
Maybe I misunderstood draft-zhang-ct-dnssec-trans-00 but I do not see how it
would help. Consider the following case:
(Forced by secret US law) The IANA secretly hands over the current private
key of the DNSSEC trust anchor to a US government agency which uses the
private key to sign forged zones and feeds them to DNS resolvers. That way US
government agencies would be able to manipulate any DNS record including
OpenPGP while users would be lulled in a false sense of security.
In case I didn't miss any super-security feature users should be aware of
that fact.
An audit log or reputation system would prevent the user from believing
a signed answer by a different "good" key. For the USG to take over your domain,
for which they do not have the private key, they need to take over the
parent domain and change the key listed there. That change can be
detected by you.
Paul
_______________________________________________
dane mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dane
