Am 2014-07-31 17:10, schrieb Paul Wouters:
On Thu, 31 Jul 2014, Rene Bartsch wrote:
It seems DNSSEC/DANE helps against most hackers and attackers but
cannot protect from attackers which have access to both the trust
anchor keys and routing infrastructure.
Whom do you trust? "No one" is not a valid answer.
http://en.wikipedia.org/wiki/Bundesnachrichtendienst#History
In global communication I only trust mathematically proven algorithms.
But don't worry, I trust people I've known for years personally. ;-)
The best we can do is
audit/log the KSKs and do some kind of "N of M" verification that such
keys are in the public world view. Of course, that leads to small
outages during rollovers....
Do the DNSSEC RFCs allow to distribute public KSKs of TLDs with
resolver software?
Of course. That's not so much a matter of protocol but of local policy.
Paul
In hierarchical architectures we always have a more or less trustworthy
anchor. So we should clearly describe the security limitations in the
security considerations section. Real security has to wait until the
next evolution step of the internet (maybe blockchains?).
Renne
--
Best regards,
Rene Bartsch, B. Sc. Informatics
_______________________________________________
dane mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dane
