On Mar 21, 2022, at 1:01 AM, Masataka Ohta <[email protected]> wrote: > Paul Wouters wrote: > >>> Constructive thing to do to make DNS secure is to totally >>> abandon DNSSEC and rely on DNS cookie or something like that. > >> DNS cookies provide no data origin security, only a weak transport >> security against non-onpath attackers. > > If a resolver correctly knows an IP address of a nameserver of a > parent zone and the resolver and the nameserver can communicate > with long enough ID, the resolver can correctly know an IP > address of a nameserver of a child zone, which is secure enough > data origin security.
No. https://therecord.media/klayswap-crypto-users-lose-funds-after-bgp-hijack/ <https://therecord.media/klayswap-crypto-users-lose-funds-after-bgp-hijack/> https://www.theregister.com/2018/04/24/myetherwallet_dns_hijack/ <https://www.theregister.com/2018/04/24/myetherwallet_dns_hijack/> Etc. Securing the channel of communication != securing the data communicated via that channel. Regards, -drc
signature.asc
Description: Message signed with OpenPGP
_______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
