RE: DNSSEC - Signature Only vs the MX/A issue.
If you want to make such statements first state your risk model.
Otherwise we end up engaged in hairsplitting debates that have no basis =
in common sense. There is no perfect security, get over it.
DNSSEC provides certain cryptographic controls in certain instances. =
DNSSEC is clearly not necessary to do anything we do today otherwise we =
could not do it.=20
The point is that Internet security is kind of a mess. There is no =
The utility in DNSSEC lies in the deployment of the next generation of =
Internet security infrastructure which uses DNS to perform policy =
distribution. Protocols like DKIM and architectures that address the =
issue of deperimeterization.
> -----Original Message-----
> From: [email]email@example.com[/email]=20
> [mailto:firstname.lastname@example.org] On Behalf Of Masataka Ohta
> Sent: Sunday, December 10, 2006 8:38 PM
> To: Paul Vixie
> Cc: Christian Huitema; Ralph Droms; bert hubert;=20
> Subject: Re: DNSSEC - Signature Only vs the MX/A issue.
> Paul Vixie wrote:
> > so the Secure DNS model is
> > end-to-end rather than interior-only.[/color]
> It is not e2e.
> With DNSSEC, zone administrators between you and your peer=20
> are the intelligent intermediate entities subject to all the=20
> technical and social hacking attacks.
> E2e security can be enjoyed if and only if you and your peer=20
> directly share secret information without intelligent=20
> intermediate entities.
> DNSSEC does not provide cryptographic security.
> PKI does not provide cryptographic security.
> Masataka Ohta
> to unsubscribe send a message to=20
> [email]email@example.com[/email] with the word 'unsubscribe'=20
> in a single line as the message text body.
> archive: <http://ops.ietf.org/lists/namedroppers/>
to unsubscribe send a message to [email]firstname.lastname@example.org[/email] with
the word 'unsubscribe' in a single line as the message text body.