On Thu, 7 Apr 2022, Masataka Ohta wrote:
As I wrote:
Such an individual would have to get access, create the records, give
them to others, who then have to on-path attack you. At the TLD level
and higher, this involves HSMs and physical access restrictions using
a “four eyes minimum” approach.
Not surprisingly, diginotar was equally strongly secure.
Are there anyone who still think DNSSEC were cryptographically secure
or had protected TLDs more securely than diginotar?
Yes, everyone but you who participated in this thread.
Paul
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
