Mark Andrews wrote:
>>Because DNS is not end to end, DNSSEC is not secure end to end.
>>
>>Root, TLD and other zones between you and a zone of your peer
>>are the targets of MitM attacks on DNSSEC.
> Which can be removed if needed by exchanging trust anchors
> with peers.
You can't.
To exchange the trust anchors, you need cryptographically secure
end to end security, which is not provided by DNSSEC.
If you and your peer already have secure channel, you have no
reason to use DNSSEC for secure identification nor communication
with the peer.
> Anything other that one-to-one exchange of secrets/public
> keys involves some trust in the introducer is doing the
> right thing.
As the level of security is no different from PODS, it is the
worst thing to bother to exchange public keys.
> If you have a solution that scales I'd love to hear it.
Because DNS is not end to end, DNS does not really scale,
manifestation of which is load on root servers.
Masataka Ohta
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
