On 10/5/2010 1:00 AM, der Mouse wrote:
But the original statement was that DNSSEC provides "secure" association from name to IP. This is a stronger property than providing secure distribution of name-to-IP mapping information; it also implies that the creation of that information and its injection into the distribution mechanisms are "secure" (whatever that means - I note that none of these say what they are talking about being secure against; perhaps I'm just missing context).
Sorry, almost nothing you wrote above is true. The only thing that DNSSEC has ever claimed to be able to do is provide a way for the end user of the DNS data to prove to herself that the data they received is the data that the administrator of the zone wanted them to have. The use of the word "security" in the name of the protocol extension was an incredibly unfortunate choice because it conveys all of the misunderstandings you listed above, and a lot more.
Doug -- Breadth of IT experience, and | Nothin' ever doesn't change, depth of knowledge in the DNS. | but nothin' changes much. Yours for the right price. :) | -- OK Go http://SupersetSolutions.com/ _______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
