[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: DS and Opt-in - a proposal

To: namedroppers@ops.ietf.org
Subject: Re: DS and Opt-in - a proposal
From: Paul Vixie <paul@vix.com>
Date: Sun, 30 Dec 2001 08:21:49 -0800
In-reply-to: Message from Greg Hudson <ghudson@mit.edu> of "30 Dec 2001 00:57:50 EST."<1009691870.18055.20.camel@egyptian-gods.mit.edu>

> Your initial message said "DNSSEC is going nowhere if they [browsers]
> aren't going to use it!"  I was arguing that DNSSEC is useful even if
> browsers stay the same as the are, at least in the Unix world.  If:
> 
>   * DNSSEC is deployed at the root,
>   * the recursive resolver is DNSSEC-aware and knows the root's key,
>   * com, amazon.com, and www.amazon.com are signed, and
>   * the path from the stub resolver to the recursive resolver isn't easy
>     to attack (because they're on the same machine, the path is behind a
>     firewall which the attacker can't get behind, or the path is
>     protected by TSIG)
> 
> then it becomes prohibitively difficult to spoof the address of
> www.amazon.com, even if the browser is completely ignorant of DNSSEC. 
> That's a win over the current situation, where it is relatively easy to
> spoof that address (especially if you can watch the query, but in many
> cases even if you can't).

<AOL>ME TOO!</AOL>


to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.

Follow-Ups:
- Re: DS and Opt-in - a proposal
  - From: bert hubert <ahu@ds9a.nl>

References:
- Re: DS and Opt-in - a proposal
  - From: Greg Hudson <ghudson@mit.edu>

Prev by Date: Re: DS and Opt-in - a proposal
Next by Date: RFC 3225 on Indicating Resolver Support of DNSSEC
Previous by thread: Re: DS and Opt-in - a proposal
Next by thread: Re: DS and Opt-in - a proposal
Index(es):
- Date
- Thread