On Aug 22, 2008, at 12:20 PM, Nicholas Weaver wrote:
> Against an adversary on the local wireless network, you have to assume
> either full end-to-end crypto on the final application or you are
> sunk. Period


Opportunites to jam DHCP are infrequent. Jamming an entire TCP stream
is hard, and you only have to miss once to get caught. Jamming
single DNS transactions is easy, and opportunities to do will be
frequent. If you miss, you don't get caught - the traffic just goes
through.

What's nice about DNSSEC is that there's no user in the loop. To jam
DNSSEC, you have to actually break the protocol - you can't just
convince the user not to use it. It's true that SSL will protect you
if you use it correctly, but whether or not you use correctly it
depends on the user.

I think you're seriously discounting the importance of human factors
when you say that the security of the DNS channel doesn't matter.


--
to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: