>From a security point of view it is the security of the system that matters, not the security of the individual components.
The S in DNS stands for System. If a system is going to be robust in practice it has to take account of all possible sources of error including administrative incompetence and user error. Security that only looks at malice is brittle security. Getting defensive about problems is not going to solve them. On Thu, Jan 26, 2012 at 4:06 PM, Andrew Sullivan <[email protected]> wrote: > On Thu, Jan 26, 2012 at 03:06:52PM -0500, Daniel Kahn Gillmor wrote: >> >> DNS is certainly not a shining beacon when it comes to resistance to >> fraud or coercion. Let's not make it a single point of failure. > > I think it would be really nice if we would make some distinctions > among different phænomena. It seems to me to be absurd to collapse > attacks on the registration side of the DNS and attacks on the > resolution side of the DNS as though it's all "the DNS". To begin > with, a significant number of registrations in the DNS don't share a > common mechanism for registration, so making sweeping generalizations > is going to be a waste of time. > > That said, it's clearly true that TLSA records in a zone do you no > good if you are mistaken about who is operating the zone. It does > seem to me that it would be possible to use multiple channels to check > whether a given name is operated by the person you think it is, and > that a mechanism to do such checking is in-scope on this list. (I > also wonder whether what's going on in REPUTE might be helpful.) > > Best regards, > > Andrew > > -- > Andrew Sullivan > [email protected] > _______________________________________________ > therightkey mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/therightkey -- Website: http://hallambaker.com/ _______________________________________________ therightkey mailing list [email protected] https://www.ietf.org/mailman/listinfo/therightkey
