On 8/03/2010, at 8:03 AM, Masataka Ohta wrote: > The problem is that DNSSEC was wrongly advertised to increase > the level of security.
I think you are picking your own definition of security to suit your argument. Those promoting DNSSEC have only ever said that the "security" it provides is basic validation of a) message originator and b) message integrity. > The reality, however, is that ISPs are as secure/reliable/trustable > as zones, which means DNSSEC does not increase the level of security. I don't understand what that means. Are you suggesting that DNSSEC should have some how dealt with insecure/unreliable/untrustworthy ISPs? >> it IS a PKI > > PKI is broken, of course. So? That is a bit like saying that all cars are broken because of a few problems Toyota are having. In other words it is a totally unsupported generalisation. > >> Additionally, since it would be end-host application validating >> those signatures, it can enforce that "there must exist a >> signature path from the root" (aka, it is actually a PKI). [1] > > The meaningful security for end hosts is that the security is > broken only if one of the end hosts is compromised, which means > fate sharing, whereas, with DNSSEC, end hosts can do nothing if > intermediate zones are compromised. DNS is largely asymmetric. On the whole I produce, others consume. So why would I need to fate-share with any consumer of my DNS messages? Your vision of security is for something quite different. Is this the essence of your grievance - DNSSEC has a chain of trust so any zone operator is dependent on another, thereby making a zone operator vulnerable to bad actors amongst those they depend on? If so then please explain how you can reliably get keys for my zones 1. without a relying on others in a chain of trust 2. in a way that scales kind regards Jay > >> [1] Thus, you don't have to worry about also needing the name >> path for the resolvers signed or the DOS attack by a MitM >> stripping signatures as part of their changing DNS results. > > MitM of a zone chain can easily change DNS results. > > Masataka Ohta > > _______________________________________________ > DNSOP mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/dnsop -- Jay Daley Chief Executive .nz Registry Services (New Zealand Domain Name Registry Limited) desk: +64 4 931 6977 mobile: +64 21 678840 _______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
