>>> DNSSEC provides a "secure" association FROM the name TO the IP >>> address. >> Incorrect characterisation. DNSSEC provides only for secure >> distribution of DNS records. Whether the distributed DNS records >> are accurate or trustworthy is a completely distinct issue. > I think secure distribution of DNS records implies secure > distribution of name to IP associations.
Yes, it does, name-to-IP associations being one of the major things the DNS is used for. But the original statement was that DNSSEC provides "secure" association from name to IP. This is a stronger property than providing secure distribution of name-to-IP mapping information; it also implies that the creation of that information and its injection into the distribution mechanisms are "secure" (whatever that means - I note that none of these say what they are talking about being secure against; perhaps I'm just missing context). > Is a 3rd party CA is more or less (likely to be) trustworthy than the > relevant domain administrator? There are (at least moderately) common scenarios in which it's the one way around; there are other similarly common scenarios in which it's the other - at least for most types of trust; again, this doesn't give much hint of the threat model of interest. /~\ The ASCII Mouse \ / Ribbon Campaign X Against HTML [email protected] / \ Email! 7D C8 61 52 5D E7 2D 39 4E F1 31 3E E8 B3 27 4B _______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
