On Thu, Jan 26, 2012 at 03:06:52PM -0500, Daniel Kahn Gillmor wrote: > > DNS is certainly not a shining beacon when it comes to resistance to > fraud or coercion. Let's not make it a single point of failure.
I think it would be really nice if we would make some distinctions among different phænomena. It seems to me to be absurd to collapse attacks on the registration side of the DNS and attacks on the resolution side of the DNS as though it's all "the DNS". To begin with, a significant number of registrations in the DNS don't share a common mechanism for registration, so making sweeping generalizations is going to be a waste of time. That said, it's clearly true that TLSA records in a zone do you no good if you are mistaken about who is operating the zone. It does seem to me that it would be possible to use multiple channels to check whether a given name is operated by the person you think it is, and that a mechanism to do such checking is in-scope on this list. (I also wonder whether what's going on in REPUTE might be helpful.) Best regards, Andrew -- Andrew Sullivan [email protected] _______________________________________________ therightkey mailing list [email protected] https://www.ietf.org/mailman/listinfo/therightkey
