Ted Lemon wrote:

> There are still ways to forge the contents of a DNS zone. But they
> all involve getting access to the signing key for that zone.


Wrong.

A forged signature in an ancestor zone of the target zone is
enough.

The ancestor zone is the place upon where a trivial MitM attack
works.

> So yes, DNSSEC is not a panacea.


For fair evaluation of DNSSEC, let's accept your statement that:

>> I think you're seriously discounting the importance of human factors
>> when you say that the security of the DNS channel doesn't matter.


Now, you can see that human factors of DNSSEC channel through zones
does matter.

So, we can agree that PKIs, including DNSSEC, is seriously
discounting the importance of human factors.

With the agreement, the only thing we can do is to accept that
human management of DNS, including DNSSEC, is not very secure.

Masataka Ohta


--
to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: