As I wrote:
Such an individual would have to get access, create the records, give them to others, who then have to on-path attack you. At the TLD level and higher, this involves HSMs and physical access restrictions using a “four eyes minimum” approach.
Not surprisingly, diginotar was equally strongly secure.
Are there anyone who still think DNSSEC were cryptographically secure or had protected TLDs more securely than diginotar? Masataka Ohta _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop