> Mark Andrews wrote:
>
> >>BTW, DNS is definitely not end-to-end, because it relies on
> >>intelligent intermediate eitities of name servers.
>
> > Actually it doesn't. It can be configured that way but
> > there is no requirement to actually use a caching nameserver.
>
> I'm not talking about caching servers.
>
> > Authoritative nameserver to iterative client works.
>
> There are intelligent intermediate entities of root, TLD and
> other servers between you and authoritative nameservers of your
> peer.
>
> Because DNS is not end to end, DNSSEC is not secure end to end.
>
> Root, TLD and other zones between you and a zone of your peer
> are the targets of MitM attacks on DNSSEC.
Which can be removed if needed by exchanging trust anchors
with peers.
Anything other that one-to-one exchange of secrets/public
keys involves some trust in the introducer is doing the
right thing.
The introducers in DNSSEC are the parent chain.
The introducers in HTTPS are the CAs.
If you have a solution that scales I'd love to hear it.
> Masataka Ohta
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: [EMAIL PROTECTED]
_______________________________________________
DNSOP mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dnsop
