RE: DNSSEC - Signature Only vs the MX/A issue.
If you want to make such statements first state your risk model.
Otherwise we end up engaged in hairsplitting debates that have no basis =
in common sense. There is no perfect security, get over it.
DNSSEC provides certain cryptographic controls in certain instances. =
DNSSEC is clearly not necessary to do anything we do today otherwise we =
could not do it.=20
The point is that Internet security is kind of a mess. There is no =
coherent architecture.
The utility in DNSSEC lies in the deployment of the next generation of =
Internet security infrastructure which uses DNS to perform policy =
distribution. Protocols like DKIM and architectures that address the =
issue of deperimeterization.
[color=blue]
> -----Original Message-----
> From: [email]owner-namedroppers@ops.ietf.org[/email]=20
> [mailto:owner-namedroppers@ops.ietf.org] On Behalf Of Masataka Ohta
> Sent: Sunday, December 10, 2006 8:38 PM
> To: Paul Vixie
> Cc: Christian Huitema; Ralph Droms; bert hubert;=20
> [email]namedroppers@ops.ietf.org[/email]
> Subject: Re: DNSSEC - Signature Only vs the MX/A issue.
>=20
> Paul Vixie wrote:
>=20[color=green]
> > so the Secure DNS model is
> > end-to-end rather than interior-only.[/color]
>=20
> It is not e2e.
>=20
> With DNSSEC, zone administrators between you and your peer=20
> are the intelligent intermediate entities subject to all the=20
> technical and social hacking attacks.
>=20
> E2e security can be enjoyed if and only if you and your peer=20
> directly share secret information without intelligent=20
> intermediate entities.
>=20
> DNSSEC does not provide cryptographic security.
>=20
> PKI does not provide cryptographic security.
>=20
> Masataka Ohta
>=20
>=20
>=20
> --
> to unsubscribe send a message to=20
> [email]namedroppers-request@ops.ietf.org[/email] with the word 'unsubscribe'=20
> in a single line as the message text body.
> archive: <http://ops.ietf.org/lists/namedroppers/>
>=20
>=20[/color]
--
to unsubscribe send a message to [email]namedroppers-request@ops.ietf.org[/email] with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/namedroppers/>
