Hi Stephane, > On Tue, Aug 19, 2014 at 09:17:10PM +0200, Hosnieh Rafiee > <[email protected]> wrote a message of 59 lines which said: > > > If you think when your domain is signed by DNSSEC, a fake resolver > > cannot cause any problem for you, I gives you an example. > > [Andrew Sullivan explained why this example depends on a lack of > understanding of DNSSEC.]
Probably I could not explain exactly my meaning. Please check my answer to Carsten and the revised version of that sample. The important thing is stub resolver is not recursive resolver and the expectation of querying different authoritative DNSSEC server for this verification seems to be impractical. > > But this is not a case for resolver scenario where the attacker can > > actively introduced himself as a resolver. > > [Paul Wouters already explained that it makes no sense to authentify a > DHCP-obtained resolver - since DHCP itself is not secure. You > authentify hard-wired resolvers only.] :-) and my answer was that in this case, it does not make sense to do any encryption because we are boiling the ocean water as the observer already can play a role of resolver and access the data that we try to hide him. My other answer was also was the attempts to secure DHCP and authentication. Encryption without authentication is like someone hide his head in the sand and assume that he has privacy while others can see his body clearly. Best, Hosnieh _______________________________________________ dns-privacy mailing list [email protected] https://www.ietf.org/mailman/listinfo/dns-privacy
