Mark Andrews wrote:
>>BTW, DNS is definitely not end-to-end, because it relies on
>>intelligent intermediate eitities of name servers.
> Actually it doesn't. It can be configured that way but
> there is no requirement to actually use a caching nameserver.
I'm not talking about caching servers.
> Authoritative nameserver to iterative client works.
There are intelligent intermediate entities of root, TLD and
other servers between you and authoritative nameservers of your
peer.
Because DNS is not end to end, DNSSEC is not secure end to end.
Root, TLD and other zones between you and a zone of your peer
are the targets of MitM attacks on DNSSEC.
Masataka Ohta
_______________________________________________
DNSOP mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dnsop
