On Oct 4, 2010, at 5:46 PM, Martin Rex wrote: >> DNSSEC provides a "secure" association FROM the name TO the IP address. >> But the DNS domain owner tends not to be the host owner so this asserted >> association may not reflect the intent of the host owner. >> Also, DNSSEC doesn't protect from IP hijacking (re-routing). > > Incorrect characterisation. DNSSEC provides only for secure distribution > of DNS records. Whether the distributed DNS records are accurate or > trustworthy is a completely distinct issue.
I think secure distribution of DNS records implies secure distribution of name to IP associations. Whether those records are <whatever/> depends on the practices of the domain administrator. Is a 3rd party CA is more or less (likely to be) trustworthy than the relevant domain administrator? ------------------------------------------------------ The opinions expressed in this message are mine, not those of Caltech, JPL, NASA, or the US Government. [email protected], or [email protected] _______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
