--On Friday, September 06, 2013 10:43 -0400 Joe Abley
<jab...@hopcount.ca> wrote:
>> Can someone please tell me that BIND isn't being this stupid?
>
> This thread has mainly been about privacy and confidentiality.
> There is nothing in DNSSEC that offers either of those,
> directly (although it's an enabler through approaches like
> DANE to provide a framework for secure distribution of
> certificates). If every zone was signed and if every response
> was validated, it would still be possible to tap queries and
> tell who was asking for what name, and what response was
> returned.
Please correct me if I'm wrong, but it seems to me that
DANE-like approaches are significantly better than traditional
PKI ones only to the extent to which:
- The entities needing or generating the certificates
are significantly more in control of the associated DNS
infrastructure than entities using conventional CAs are
in control of those CAs.
- For domains that are managed by registrars or other
third parties (I gather a very large fraction of them at
the second level), whether one believes those registrars
or other operators have significantly more integrity and
are harder to compromise than traditional third party CA
operators.
best,
john
