True, which is why it depends on what the local network. If the clients and recursive server are all part of the same organization, there may already be sufficient network security mechanisms in place that additional message authentication techniques (like TSIG) will not add any new value.
Scott Stephane Bortzmeyer wrote: > On Thu, Apr 23, 2009 at 07:10:13AM -0400, > Scott Rose <[email protected]> wrote > a message of 65 lines which said: > >> Those are the DNS protocol mechanisms in place. There is also lower >> level security technologies such as IPsec that could be used between >> stub clients and recursive servers that don't rely on DNSSEC at all. > > TSIG, IPsec and friends have all the same issue: they check that the > response does come from the intended resolver, not that the response > is authentic. At a time where any hotel provides Internet access with > a lying resolver, this is probably not sufficient. > -- ---------------------------------------- Scott Rose Computer Scientist NIST ph: +1 301-975-8439 [email protected] http://www-x.antd.nist.gov/dnssec http://www.dnsops.gov/ ----------------------------------------- _______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
