Mark Andrews wrote:

> Sure humans could inject data in the pre-sign stage of any
> of the parents. This in no different to the occassional
> bogus NS RRsets that get added to parents today. I don't
> think anyone that knows anything about security would say
> that this can't happen. In fact this is the weakest part
> of DNSSEC.

That is, DNSSEC does NOT provide cryptographic security.

But, for the other weakest part, see below.

> For COM, COM.AU etc. we are going to have to trust that the
> registration system won't be compromised.

Considering that domain names will keep being sold on-line in realtime
with credit card payment, we will use TLS or SSL (or nothing) for secure
exchange of public keys and certificates with the registry.

It means that TLS or SSL (or nothing) is secure enough that we
don't need DNSSEC.

Worse, it also means signature generation system is accessible online.
That is, if the registration server of, say, COM, is compromised,
all the domain names under COM becomes untrustworthy.

This is the weakest part of DNSSEC.

DNSSEC is just as insecure as plain DNS.

Masataka Ohta

to unsubscribe send a message to with
the word 'unsubscribe' in a single line as the message text body.