Ted Lemon wrote:
>> If you and your peer already have secure channel, you have no
>> reason to use DNSSEC for secure identification nor communication
>> with the peer.
> Ohta-san, this is clueless in so many ways. It's inspiring.
>
> First of all, perhaps you do have a secure channel to your trust
> anchor.
First of all, you don't have a secure channel to a zone
administrator of some homepage you encountered during
netsurfing.
> This doesn't mean that you have a secure channel to all the
> zones that depend from it. So you can get the trust anchor key, and
> because you have it, you can now validate all those zones for which you
> have no such secure channel.
The problem, then, is that the validation is indirectly hop by
hop, not end to end.
There will be MitM attacks on intermediate zones.
> This is what, e.g., the PGP key signing that happens at
> every IETF is all about.
Another example of hop by hop security can not deny the fact that
DNS security is not end to end.
Masataka Ohta
_______________________________________________
DNSOP mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dnsop
