On Fri, Jul 25, 2008 at 12:24:09PM -0700, David Conrad wrote:
> Joe,
> On Jul 25, 2008, at 10:03 AM, Joe Abley wrote:
> >I think that's wrong. I think that once someone is in the position
> >of being able to meddle with the query/response stream, all bets are
> >off and DNSSEC is no cure.

> The whole point of DNSSEC is to allow for the validation of responses
> by a validator to ensure they haven't been mucked with in transit.
> The most that an attacker, anywhere in a properly configured DNSSEC-
> protected query/response path, can do is denial of service.

so, it does not matter where the data comes from, as long
as the "wrapper" is intact.

> Once the response leaves the validator on its way to the application,
> either via the response to an unprotected stub resolver call over the
> network or via a intra-machine IPC, it can, of course be mucked with.
> This is why I believe that if people want to be safe, they need to run
> a validating caching server on their local machine (if the intra-
> machine IPC can be compromised, you've got bigger problems).

you are not alone in this belief.

> But maybe I'm lacking context here...

this is no doubt true for many of us.

> Regards,
> -drc


to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.