> Mark Andrews wrote:
>
> >>Because DNS is not end to end, DNSSEC is not secure end to end.
> >>
> >>Root, TLD and other zones between you and a zone of your peer
> >>are the targets of MitM attacks on DNSSEC.
>
> > Which can be removed if needed by exchanging trust anchors
> > with peers.
>
> You can't.
>
> To exchange the trust anchors, you need cryptographically secure
> end to end security, which is not provided by DNSSEC.
>
> If you and your peer already have secure channel, you have no
> reason to use DNSSEC for secure identification nor communication
> with the peer.
Incorrect.
>
> > Anything other that one-to-one exchange of secrets/public
> > keys involves some trust in the introducer is doing the
> > right thing.
>
> As the level of security is no different from PODS, it is the
> worst thing to bother to exchange public keys.
Incorrect.
> > If you have a solution that scales I'd love to hear it.
>
> Because DNS is not end to end, DNS does not really scale,
> manifestation of which is load on root servers.
None answer.
> Masataka Ohta
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: [EMAIL PROTECTED]
_______________________________________________
DNSOP mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dnsop
