On Mar 7, 2010, at 11:03 AM, Masataka Ohta wrote: > Nicholas Weaver wrote: > >>> That is, DNSSEC is not secure cryptographically, which is another >>> reason why not to deploy DNSSEC. > >> I don't see what your argument here is. >> >> DNSSEC is a "PKI in disguise", and like ANY PKI, you still depend >> on trust up the heirarchy, > > Yes, you do understand the problem. > >> But DNS has ALWAYS depended on trust-up-the-heirarchy anyway, >> so this aspect of DNSSEC doesn't increase the level of trust >> required in DNS, > > The problem is that DNSSEC was wrongly advertised to increase > the level of security. > > The reality, however, is that ISPs are as secure/reliable/trustable > as zones, which means DNSSEC does not increase the level of security.
IF you use DNSSEC for A records, I agree with you completely. Simply put because either the end application never trusted DNS OR is trivially p0wned by a MitM. IF you use DNSSEC for TXT and CERT records, its a very different story. Existing PKIs have too MANY paths of trust, and path of trust which is disjoint from the name heirarchy. By uniting these and REDUCING the paths of trust, you end up with a better system. And PKI, dispite what you say, is not broken. Heirarchical trust OR web of trust, you have to have some transitive trust to make a usable system. _______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
