Paul Vixie wrote:

> so the Secure DNS model is
> end-to-end rather than interior-only.


It is not e2e.

With DNSSEC, zone administrators between you and your peer are
the intelligent intermediate entities subject to all the technical
and social hacking attacks.

E2e security can be enjoyed if and only if you and your peer directly
share secret information without intelligent intermediate entities.

DNSSEC does not provide cryptographic security.

PKI does not provide cryptographic security.

Masataka Ohta



--
to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: