> > How can you sign DNSSEC data without being in the posession of the private > signing key(s) all the way to the root?
The problem is this bad guy resolver is on a way and has a possibility to send any information it wants to this node. For asking about anything again the node needs to ask this fake DNSSEC resolver that is on a way. The node also cannot verify this fake DNSSEC resolver. I think, like an example I explained in other message, this can happen. If you say it cannot please explain how? Because all the queries are through this bad guy. This bad guy introduced himself as a first resolver and first point of contact. > DNSSEC adds data integrity, and with one or more trust-anchors in the > resolver the client is able to validate the data, no matter which way the data > took. Yes true but when you cannot identify the source of this data, it doesn't matter that the data integrity is available. I am the first point of contact and the node doesn't have any possibility to ask other resolvers. For verification, whatever he asks, I introduced my own fake servers and provide him with my own generated data. that is actually correct (because I am the owner of key and I signed these data) but if this node had another server to ask, then he could understand that I gave him wrong information. It is similar to the case that the node is in an island and isolated. Only one point of contact which is a pirate. > The benefit of this proposal is to add encrption, so that not everyone on the > same network (wireless etc) can monitor the traffic. Please refer to my other message which answers this > Sure, the operator of the un-authenticated DNS resolver can monitor, but > now everyone could possibly monitor. With encryption, only the operator > could. Not optimal, but better. > > And yes, some people care to keep their DNS queries private. Best, Hosnieh _______________________________________________ dns-privacy mailing list [email protected] https://www.ietf.org/mailman/listinfo/dns-privacy
