> -----Original Message----- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of > Masataka Ohta > Subject: Re: [DNSOP] A different question > > There are intelligent intermediate entities of root, TLD and > other servers between you and authoritative nameservers of your > peer.
This is on data distribution path level, not infrastructure, nor data. > Because DNS is not end to end, DNSSEC is not secure end to end. I don't care if the infrastructure is TCP, UDP, Token ring or carier pigeons, I don't trust the infrastructure because it has a MITM (or pigeon in the middle) I don't know. I even don't trust the data distribution, DNS, as it has a MITM as you say. Trying to secure the infrastructure hop-by-hop is the bell-head solution, which, with an increase of operators has proven to be not scalable nor efficient. Data is the ultimate end-to-end, from your brain into mine, whithout any dependency on the infrastructure in between. > Root, TLD and other zones between you and a zone of your peer > are the targets of MitM attacks on DNSSEC. All these MITM are MITM in infrastructure, but not all in Data. None of these infrastructure MITM can fiddle with the end-users data without the end-users cooperation or notice. The only thing a MITM can do is revoke the data path to reach a trust anchor, which will trigger the flag that the data path is not secure anymore. I agree with you that a data Parent can, without cooperation of a child, set up a new thrust-anchor, data path and data. But parents are not the only MITM's. Parents are to be trusted, as you have accepted them in your data path. You are aware of their existence. Other MITM not in the data path, but present in the infrastructure path, aren't to be trusted. Secure the data path not the infrastructure. I believe that is what DNSSEC does. Antoin Verschuren Technical Policy Advisor SIDN Utrechtseweg 310 PO Box 5022 6802 EA Arnhem The Netherlands T +31 26 3525500 F +31 26 3525505 M +31 6 23368970 E [EMAIL PROTECTED] W http://www.sidn.nl/ _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
