On 2011-08-16 23:11, Tony Finch wrote: > Ted Lemon <ted.le...@nominum.com> wrote: >> "As secure as DNSSEC" is not always the required level of security. > > Actually it's nonsense. DNSSEC secures the publication mechanism. The > security of the update mechanism is pretty much orthogonal. If your > updates are insecure your zone may be full of junk, but DNSSEC tells > people looking at the zone that it's authentic junk that was really > published by your dodgy master servers.
And thus has no value to the user of the validated record. That's my point: GIGO, so we have to prevent garbage-in. If you don't classify that as a security requirement, fine, but it's an operational requirement. Brian _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop