As I wrote:
Such an individual would have to get access, create the records, give
them to others, who then have to on-path attack you. At the TLD level
and higher, this involves HSMs and physical access restrictions using
a “four eyes minimum” approach.
Not surprisingly, diginotar was equally strongly secure.
Are there anyone who still think DNSSEC were cryptographically secure
or had protected TLDs more securely than diginotar?
Masataka Ohta
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
