--On 05 December 2006 17:58 +0900 Masataka Ohta

> That's a big surprise, because DNSSEC is not a protection against
> most, if not all, of attacks, even when zone administrators are
> not compromised, which is as easy as compromising ISPs.

Specifically, DNSSEC is a protection against injection / MITM attacks.

Of course there is the possibility that the zone itself is compromised. But
if you can compromise an ISP, far easier to compromise the web site (which
invariably is the app they are considering) in question.

But even if you are right, and DNSSEC does not protect against the majority
of attacks (for some defined set of attacks) I don't see why that implies
it is not useful; it is a useful component in solving the whole problem
(i.e. securing against that set of attacks).

The alternative rational argument is to say "leave DNS insecure, just
like IP is insecure, solve it all at a higher level, for each protocol,
based on certificates etc., and teach apps that in general DNS alone
cannot be trusted". wc -l /etc/services suggests this is an inefficient
route to take (yes, a gross simplification I know, but you get my point).


to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.