Nicholas Weaver wrote:
> DNSSEC is ONLY useful for things like TXT and CERT records fetched
> by a DNSSEC aware cryptographic application, and that would
> require a valid signature chain from the root(s) of trust
> (either preconfigured or on a path from the signed root) validated
> on the client, so an imitation a.root-servers.net won't matter, as
> it won't be able to provide improper data.
DNSSEC is still not useful, because attackers can pretend that retail
ISPs can't pass DNSSEC packets.
Then, there is a choice of:
1) not to use the net with untrustworthy zones and ISPs
2) to use the net even with untrustworthy zones and ISPs
and most people will use the net anyway.
Note that DNSSEC dose not make untrustworthy zones trustable.
Masataka Ohta
_______________________________________________
DNSOP mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dnsop
