On 04.09.2017 17:01, Stephane Bortzmeyer wrote:
On Mon, Sep 04, 2017 at 10:54:44AM +0200, Walter H.<walte...@mathemainzel.info> wrote a message of 25 lines which said:I'd say: "either you trust the local net or not";..., but I think it is a mistake.
not really, when there is a security problem, DNS is the less one ...and I didn't say, that a locally running resolver would not be allowed to validate DNSSEC; but there needn't be a DNSSEC signed local only zone, as the signature and zone content comes from the same host; you can of course validate your own local only zone, nobody prevents you from doing so, but it is somewhat strange; and the fact that a change of the zone doesn't need to be resigned raises problems to;
Many local networks are vulnerable to packets with an internal address coming from the outside, routing attacks diverting traffic outside, etc. Not to mention the internal attacks, for instance by a MS-Windows zombie. even this is true, DNSSEC for the local zones doesn't make it any better; as I said, when there is a security problem DNS is the less one ...
yes and no; when operating a local mail server that uses TLS for IMAP, SMTP, then a Anti-virus has to break TLS in order to scan before it gets to the client ...It seems to me that having TLS, DNSSEC and SSH and so on even in the local net is Best Practice.
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
