[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: How do we get the whole world to upgrade to DNSSEC capable resolvers?
On 24 Jul 2008, at 18:14, Jelte Jansen wrote:
how would you verify anything without a trust anchor?
Surely that's a mechanical detail.
I don't think anyone here implies that DNSSEC works when you do not
actually turn it on on the resolver you are using.
The implication I was replying to seemed to state fairly clearly that
DNSSEC would make it impossible for middleboxes to meddle with DNS
queries and replies and provide answers that were not those that would
be received from the authority-only servers concerned.
I think that's wrong. I think that once someone is in the position of
being able to meddle with the query/response stream, all bets are off
and DNSSEC is no cure.
What is required to circumvent such sabotage is not the ability to
verify the integrity of the data in-band, but either the ability to
signal that signatures should be present out-of-band, or a means of
verifying transport integrity to a resolver which is trusted, or
something. DNSSEC on its own isn't enough.
Joe
--
to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/namedroppers/>