On Aug 16, 2011, at 4:54 PM, Brian E Carpenter wrote:
And thus has no value to the user of the validated record.
That's my point: GIGO, so we have to prevent garbage-in. If you
don't classify that as a security requirement, fine, but it's an
operational requirement.

DNSSEC ensures that what's in the zone was delivered from the authoritative 
name server to the validating resolver intact.   It doesn't promise that what's 
in the zone has any particular ontological status.   What's in the zone is in 
the zone on the basis of the local administrative policy for that zone.

I'm sure you can come up with a use case in which the fact that the name being 
inserted into the zone isn't validated to the same degree of security that 
DNSSEC provides.   So why don't you begin your argument there, rather than 
stating your conclusion as if it were both self-evidently true, and also true 
for all possible use cases.

_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop

Reply via email to