> Mark Andrews wrote: > > >>Because DNS is not end to end, DNSSEC is not secure end to end. > >> > >>Root, TLD and other zones between you and a zone of your peer > >>are the targets of MitM attacks on DNSSEC. > > > Which can be removed if needed by exchanging trust anchors > > with peers. > > You can't. > > To exchange the trust anchors, you need cryptographically secure > end to end security, which is not provided by DNSSEC. > > If you and your peer already have secure channel, you have no > reason to use DNSSEC for secure identification nor communication > with the peer.
Incorrect. > > > Anything other that one-to-one exchange of secrets/public > > keys involves some trust in the introducer is doing the > > right thing. > > As the level of security is no different from PODS, it is the > worst thing to bother to exchange public keys. Incorrect. > > If you have a solution that scales I'd love to hear it. > > Because DNS is not end to end, DNS does not really scale, > manifestation of which is load on root servers. None answer. > Masataka Ohta -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: [EMAIL PROTECTED] _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop