On Aug 16, 2011, at 4:54 PM, Brian E Carpenter wrote: And thus has no value to the user of the validated record. That's my point: GIGO, so we have to prevent garbage-in. If you don't classify that as a security requirement, fine, but it's an operational requirement.
DNSSEC ensures that what's in the zone was delivered from the authoritative name server to the validating resolver intact. It doesn't promise that what's in the zone has any particular ontological status. What's in the zone is in the zone on the basis of the local administrative policy for that zone. I'm sure you can come up with a use case in which the fact that the name being inserted into the zone isn't validated to the same degree of security that DNSSEC provides. So why don't you begin your argument there, rather than stating your conclusion as if it were both self-evidently true, and also true for all possible use cases.
_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop