On 7 Mar 2010, at 12:47, Masataka Ohta wrote:
While the Bad Guy as an ISP administrator won't have the private keys, the Bad Guy as a zone administrator will have the private keys.
True, but irrelevant. The original discussion was a theoretical, misplaced concern about spoofed priming queries. It was not about whether the Bad Guy had control over the zone being spoofed. Please don't confuse the two.
That is, DNSSEC is not secure cryptographically, which is another reason why not to deploy DNSSEC.
This claim is ridiculous. Unless someone uncovers a fundamental flaw in public key cryptography, DNSSEC is secure cryptographically provided the private key(s) remain private.
Now some people may (or may not) trust a third party to manage their keys and zone signing for them. That's their choice. It's just one of the many trade-offs that have to be considered in any sort of security system. For some, a private key held by a third party may well meet or exceed their security requirements. It takes a wild leap of the imagination and powerful reality distortion to use that as justification for the claims you made.
_______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
