Alex Bligh wrote:

>> That's a big surprise, because DNSSEC is not a protection against
>> most, if not all, of attacks, even when zone administrators are
>> not compromised, which is as easy as compromising ISPs.


> Specifically, DNSSEC is a protection against injection / MITM attacks.


A man working for zone administrators can be the MITM, just as a
man woking for ISPs can be the MITM.

> The alternative rational argument is to say "leave DNS insecure,


Properly implemented and operated plain DNS is secure.

Properly implemented and operated plain DNS is just as secure
as properly implemented and operated DNSSEC.

Both are weakly secure.

Of course, improperly implemented or operated DNSSEC is less secure
than properly implemented and operated plain DNS.

> solve it all at a higher level, for each protocol,
> based on certificates etc., and


PKI is weakly secure.

You can enjoy cryptographic security only when you directly share
secret information with your peer. Security does cost.

Masataka Ohta



--
to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: