In message <[email protected]>, Masataka Ohta writes: > Jay Daley wrote: > > > I think you are picking your own definition of security to suit > > your argument. > > If you can deny the following reality: > > >>The reality, however, is that ISPs are as secure/reliable/trustable > >>as zones, which means DNSSEC does not increase the level of security. > > feel free to deny me. Otherwise, accept the reality. > > > Are you suggesting that DNSSEC should have some how dealt with > > insecure/unreliable/untrustworthy ISPs? > > DNS is dealt with zones as insecure/unreliable/untrustworthy as ISPs.
There is plenty of evidence for ISPs modifying DNS responses to queries directed to their recursive servers without notifying the client population before doing so. There are also reports of ISPs modifying DNS responses not directed to their recursive servers. If you wish to include hotels in the ISP category (which they are for the duration of your stay at the hotel) then there is ample evidence of this happening. So yes I don't trust ISPs. > > DNS is largely asymmetric. On the whole I produce, others consume. > > So why would I need to fate-share with any consumer of my DNS > > messages? > > DNS? > > Fate sharing security is required for applicaitons running on > end hosts. DNS security itself is abstract and is no goal. > > > If so then please explain how you can reliably get keys for my zones > > 1. without a relying on others in a chain of trust > > I can't, which is why DNSSEC is as insecure as plain DNS. > > > 2. in a way that scales > > It seems to me that cryptographic, end to end, or fate sharing > security is not scalable. > > Masataka Ohta > > _______________________________________________ > DNSOP mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/dnsop -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: [email protected] _______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
