Ted Lemon wrote:

> What's nice about DNSSEC is that there's no user in the loop. To jam
> DNSSEC, you have to actually break the protocol


No. It is enough to break a zone in the loop.

> It's true that SSL will protect you
> if you use it correctly, but whether or not you use correctly it
> depends on the user.


Security of SSL, DNS or PKI in general depends both on the user and
intermediate administrators.

> I think you're seriously discounting the importance of human factors
> when you say that the security of the DNS channel doesn't matter.


You're seriously discounting the importance of human factors
when you say that the security of the DNS channels through zones
don't matter.

PKI, including but not limited to DNSSEC, is merely weakly secure
and is subject to MitM attacks.

Masataka Ohta




--
to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: