On Thu, 31 Jul 2014, Rene Bartsch wrote:
It seems DNSSEC/DANE helps against most hackers and attackers but cannot protect from attackers which have access to both the trust anchor keys and routing infrastructure.
Whom do you trust? "No one" is not a valid answer. The best we can do is audit/log the KSKs and do some kind of "N of M" verification that such keys are in the public world view. Of course, that leads to small outages during rollovers....
Do the DNSSEC RFCs allow to distribute public KSKs of TLDs with resolver software?
Of course. That's not so much a matter of protocol but of local policy. Paul _______________________________________________ dane mailing list [email protected] https://www.ietf.org/mailman/listinfo/dane
