If you want to make such statements first state your risk model.


Otherwise we end up engaged in hairsplitting debates that have no basis =
in common sense. There is no perfect security, get over it.

DNSSEC provides certain cryptographic controls in certain instances. =
DNSSEC is clearly not necessary to do anything we do today otherwise we =
could not do it.=20

The point is that Internet security is kind of a mess. There is no =
coherent architecture.

The utility in DNSSEC lies in the deployment of the next generation of =
Internet security infrastructure which uses DNS to perform policy =
distribution. Protocols like DKIM and architectures that address the =
issue of deperimeterization.



> -----Original Message-----
> From: owner-namedroppers@ops.ietf.org=20
> [mailtowner-namedroppers@ops.ietf.org] On Behalf Of Masataka Ohta
> Sent: Sunday, December 10, 2006 8:38 PM
> To: Paul Vixie
> Cc: Christian Huitema; Ralph Droms; bert hubert;=20
> namedroppers@ops.ietf.org
> Subject: Re: DNSSEC - Signature Only vs the MX/A issue.
>=20
> Paul Vixie wrote:
>=20
> > so the Secure DNS model is
> > end-to-end rather than interior-only.

>=20
> It is not e2e.
>=20
> With DNSSEC, zone administrators between you and your peer=20
> are the intelligent intermediate entities subject to all the=20
> technical and social hacking attacks.
>=20
> E2e security can be enjoyed if and only if you and your peer=20
> directly share secret information without intelligent=20
> intermediate entities.
>=20
> DNSSEC does not provide cryptographic security.
>=20
> PKI does not provide cryptographic security.
>=20
> Masataka Ohta
>=20
>=20
>=20
> --
> to unsubscribe send a message to=20
> namedroppers-request@ops.ietf.org with the word 'unsubscribe'=20
> in a single line as the message text body.
> archive:
>=20
>=20


--
to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: