Samuel Weiler <wei...@csail.mit.edu> wrote: > > That does not include the argument in the below bullet, which I find unclear. > What does "name redirection" mean in this context? > > o Since the zones are related to private networks, it would make > more sense to make the internal network more secure to avoid name > redirection, rather than complicate the DNS protocol.
I guess it's referring to active DNS modification attacks? Another reason not mentioned in the draft is resilience against loss of connectivity. If you have a local trust anchor you can validate local zones even when you can't reach the outside world. With normal DNSSEC validation everything is screwed if you can't obtain the chain of trust. Of course, the network should be secure and reliable in its lower layers, but I tend to think the DNS should be secure and reliable itself, even if the lower layers are a bit dodgy. Having thought about this a bit, I now prefer something like catalog zones as a way to distribute trust anchors. Tony. -- f.anthony.n.finch <d...@dotat.at> http://dotat.at/ Lundy, Fastnet: Variable 2 to 4 in east Lundy, otherwise southerly veering southwesterly 4 to 6. Slight or moderate in east Lundy, but elsewhere moderate or rough. Thundery showers. Moderate or good. _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop