On Aug 28, 2013, at 8:37 AM, Paul Wouters <[email protected]> wrote: ...
> Sounds like certificate pinning or CT-DNSSEC. It has the same problems. > There will be more false positives then actual attacks, and people will > disable it. Of course, that argument also says "Ditch DNSSEC altogether, bypass the recursive resolver, and have a nice day": How many attacks has DNSSEC stopped to date, vs false positives due to misconfiguration? That's also why its temporary (unlike most CERT pinning which is far more semi-permanent). And there is the hurdle of "If you are actually configuring DNSSEC, there is an assumed minimum clue level" Has anyone yet studied whether the DS and NS RRSETs tend to change at the same time for major domains? -- Nicholas Weaver it is a tale, told by an idiot, [email protected] full of sound and fury, 510-666-2903 .signifying nothing PGP: http://www1.icsi.berkeley.edu/~nweaver/data/nweaver_pub.asc
signature.asc
Description: Message signed with OpenPGP using GPGMail
_______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
