Hi all, Admittedly this is not the greatest place to talk abt DNSSec. But well..its abt security :)..so here goes.. As far as i see, DNSSec provides integrity verification of all DNS data. And it infact allows assoicating keys with end hosts, making it a PKI. Given that this is the case, why exactly should we even be worried about verifying integrity of DNS data, say an A record? Without any sort of end to end security, it doesnt matter to me whether the binding i get is valid or not(the end host could be compromised). Notice that if i do some authentication of the end host using some auth protocol, the integrity of the A record could hardly matter(of course, the auth will always fail and we have a DOS attack of sorts - DNSsec doesnt save you against DOS attacks either). Its strange why there has been so much fuss about securing DNS data given this to be the case. Given that you could do port forwarding using SSH, why not just use the DNS as a PKI?
Thanks, Sudharsan ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
