On 2011-08-16 23:11, Tony Finch wrote:
> Ted Lemon <ted.le...@nominum.com> wrote:
>> "As secure as DNSSEC" is not always the required level of security.
> 
> Actually it's nonsense. DNSSEC secures the publication mechanism. The
> security of the update mechanism is pretty much orthogonal. If your
> updates are insecure your zone may be full of junk, but DNSSEC tells
> people looking at the zone that it's authentic junk that was really
> published by your dodgy master servers.

And thus has no value to the user of the validated record.
That's my point: GIGO, so we have to prevent garbage-in. If you
don't classify that as a security requirement, fine, but it's an
operational requirement.

   Brian
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop

Reply via email to