Ted Lemon wrote:
> Ohta-san, if you want to comment on the protocol, you really ought to
> learn how it works first.
I really hope you can learn how to read mails before sending yours.
>> The problem, then, is that the validation is indirectly hop by
>> hop, not end to end.
> This is not how it works. The way it works is that the validating
> resolver does _all_ of the validation.
First, let your resolver try to resolve something with network
connections detached and see what happens.
Then, read the following mail of mine again (or, for the first time?).
>I'm not talking about caching servers.
>> Authoritative nameserver to iterative client works.
>There are intelligent intermediate entities of root, TLD and
>other servers between you and authoritative nameservers of your
>peer.
>Because DNS is not end to end, DNSSEC is not secure end to end.
>Root, TLD and other zones between you and a zone of your peer
>are the targets of MitM attacks on DNSSEC.
> Subsequent validations
Such chaining of the validations is hop by hop.
No attempt to call it end to end alters the reality that MitM
attacks are possible on intermediate zones on the validation
chain.
Masataka Ohta
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
