Hello Hosnieh, Hosnieh Rafiee writes:
> > Ok then I am an attacker, since you cannot authenticate me, I sign the > data myself. This has data integrity. But it is the modified data and > not what you expected to receive... How can you sign DNSSEC data without being in the posession of the private signing key(s) all the way to the root? DNSSEC adds data integrity, and with one or more trust-anchors in the resolver the client is able to validate the data, no matter which way the data took. The benefit of this proposal is to add encrption, so that not everyone on the same network (wireless etc) can monitor the traffic. Sure, the operator of the un-authenticated DNS resolver can monitor, but now everyone could possibly monitor. With encryption, only the operator could. Not optimal, but better. And yes, some people care to keep their DNS queries private. -- Carsten Strotmann Email: [email protected] Blog: strotmann.de _______________________________________________ dns-privacy mailing list [email protected] https://www.ietf.org/mailman/listinfo/dns-privacy
