Paul Wouters wrote:
If a resolver correctly knows an IP address of a nameserver of a
parent zone
This statement seems a recursion of the original problem statement?]
What?
The statement is not more demanding for resolvers to be configured
with correct certificates.
This would not help for on-path attackers (without DoT, DoH)
See below.
How would this be safe against the current BGP attacks we are seeing?
Are you saying connecting to an IP address secured by DNSSEC
is safe even under BGP attacks?
As for MitM attacks, PKI, in general, is insecure against
them as was demonstrated by diginotar. So, don't bother.
DNSSEC is more hierarchical than the "bag of CAs", so a failure
like this would be more contained. Regardless, I do not understand
how PKI failures relate to DNS?
Are you saying you don't understand DNSSEC is a form of PKI?
IETF can do nothing if some government legally force
people to install some government provided certificates
to some PKI, including DNSSEC, which is as easy as
MitM attacks on ISP chain may be by government order.
With DNSSEC, a government in country X cannot spoof data of
country Y, they can only block it.
Country X legally forcing people to install government provided
root certificates can freely spoof PKI, including DNSSEC, data
of country Y.
Again, I think perhaps you should write this up in a draft, so
we can see how your proposal would cover everything that DNSSEC
covers.
Before diginotar, maybe. After that, I don't think it necessary
any more.
Masataka Ohta
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
