Mark Andrews wrote:
>>DNSSEC is, socially, more dangerous than PODS, because DNSSEC gives
>>users false sense of security.
> You already have to trust your parents to publish your
> delegating NS RRset.
So, technically, DNSSEC is no worse but no better than PODS.
>>That is, WG discussion on securing NXDOMAIN has been totally
>>meaningless.
> That really depends on which persons you are attempting to
> prevent tampering from.
Social implementations of DNSSEC may be (or, considering its complexity,
will always be) vulnerable to tampering from any person.
> Which like most things to do with security is a matter of
> education.
Quick upgrading of programs with open security holes is another, but
a lot easier, matter of education.
So, if we are discussing security in the real world, let's never
assume that people are automagically educated to treat all the
complex aspects of DNSSEC operations properly.
>>As I already posted, try to improve implementations to use TCP with
>>random sequence number and random port, which is not more
>>difficult than to improve caching behavior of implementations.
> TCP only addresses one of the issues.
Let's accept the reality that DNS operation is human and can not be
very secure.
Masataka Ohta
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
