Jay Daley wrote:
> I think you are picking your own definition of security to suit
> your argument.
If you can deny the following reality:
>>The reality, however, is that ISPs are as secure/reliable/trustable
>>as zones, which means DNSSEC does not increase the level of security.
feel free to deny me. Otherwise, accept the reality.
> Are you suggesting that DNSSEC should have some how dealt with
> insecure/unreliable/untrustworthy ISPs?
DNS is dealt with zones as insecure/unreliable/untrustworthy as ISPs.
> DNS is largely asymmetric. On the whole I produce, others consume.
> So why would I need to fate-share with any consumer of my DNS
> messages?
DNS?
Fate sharing security is required for applicaitons running on
end hosts. DNS security itself is abstract and is no goal.
> If so then please explain how you can reliably get keys for my zones
> 1. without a relying on others in a chain of trust
I can't, which is why DNSSEC is as insecure as plain DNS.
> 2. in a way that scales
It seems to me that cryptographic, end to end, or fate sharing
security is not scalable.
Masataka Ohta
_______________________________________________
DNSOP mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dnsop
