Antoin Verschuren wrote:
>>There are intelligent intermediate entities of root, TLD and
>>other servers between you and authoritative nameservers of your
>>peer.
> This is on data distribution path level, not infrastructure, nor data.
FYI, "I" of PKI is "Infrastructure".
And here are the attacks on actual data:
>>Root, TLD and other zones between you and a zone of your peer
>>are the targets of MitM attacks on DNSSEC.
>>Because DNS is not end to end, DNSSEC is not secure end to end.
> I don't care if the infrastructure is TCP, UDP, Token ring or carier pigeons,
The infrastructure here is PKI.
> I don't trust the infrastructure because it has a MITM
Yup. You shouldn't trust an infrastructure of PKI because it has a MitM.
>>Root, TLD and other zones between you and a zone of your peer
>>are the targets of MitM attacks on DNSSEC.
> All these MITM are MITM in infrastructure, but not all in Data.
> None of these infrastructure MITM can fiddle with the end-users data without
> the end-users cooperation or notice.
Fiddling with the end-users data is Man-at-the-edge attack and,
because of fate sharing, is not a problem.
Instead, MitM attack on DNSSEC is performed, for example, within
intermediate zones with forged signature on child zone with forged
end-users data.
> But parents are not the only MITM's. Parents are to be trusted,
> as you have accepted them in your data path. You are aware of
> their existence.
Then, upstream ISPs are to be trusted, as we have accepted them
in our data path. We are aware of their existence.
It means that there is no MitM attack on PODS.
> Secure the data path not the infrastructure.
> I believe that is what DNSSEC does.
Your fundamental misunderstanding is that you misunderstand PKI
not an infrastructure.
Masataka Ohta
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
