[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: DNSSEC - Signature Only vs the MX/A issue.

To: "Masataka Ohta" <mohta@necom830.hpcl.titech.ac.jp>, "Paul Vixie" <paul@vix.com>
Subject: RE: DNSSEC - Signature Only vs the MX/A issue.
From: "Hallam-Baker, Phillip" <pbaker@verisign.com>
Date: Mon, 11 Dec 2006 06:40:58 -0800
Cc: "Christian Huitema" <huitema@windows.microsoft.com>, "Ralph Droms" <rdroms@cisco.com>, "bert hubert" <bert.hubert@netherlabs.nl>, <namedroppers@ops.ietf.org>
Delivery-date: Mon, 11 Dec 2006 14:43:36 +0000
Envelope-to: namedroppers-data@psg.com
Thread-index: AcccxccoBrDUgGgaTyawEnpCRzPEfAAa9UEQ
Thread-topic: DNSSEC - Signature Only vs the MX/A issue.

If you want to make such statements first state your risk model.

Otherwise we end up engaged in hairsplitting debates that have no basis in common sense. There is no perfect security, get over it.

DNSSEC provides certain cryptographic controls in certain instances. DNSSEC is clearly not necessary to do anything we do today otherwise we could not do it. 

The point is that Internet security is kind of a mess. There is no coherent architecture.

The utility in DNSSEC lies in the deployment of the next generation of Internet security infrastructure which uses DNS to perform policy distribution. Protocols like DKIM and architectures that address the issue of deperimeterization.

> -----Original Message-----
> From: owner-namedroppers@ops.ietf.org 
> [mailto:owner-namedroppers@ops.ietf.org] On Behalf Of Masataka Ohta
> Sent: Sunday, December 10, 2006 8:38 PM
> To: Paul Vixie
> Cc: Christian Huitema; Ralph Droms; bert hubert; 
> namedroppers@ops.ietf.org
> Subject: Re: DNSSEC - Signature Only vs the MX/A issue.
> 
> Paul Vixie wrote:
> 
> > so the Secure DNS model is
> > end-to-end rather than interior-only.
> 
> It is not e2e.
> 
> With DNSSEC, zone administrators between you and your peer 
> are the intelligent intermediate entities subject to all the 
> technical and social hacking attacks.
> 
> E2e security can be enjoyed if and only if you and your peer 
> directly share secret information without intelligent 
> intermediate entities.
> 
> DNSSEC does not provide cryptographic security.
> 
> PKI does not provide cryptographic security.
> 
> 						Masataka Ohta
> 
> 
> 
> --
> to unsubscribe send a message to 
> namedroppers-request@ops.ietf.org with the word 'unsubscribe' 
> in a single line as the message text body.
> archive: <http://ops.ietf.org/lists/namedroppers/>
> 
> 

--
to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/namedroppers/>

Prev by Date: 2929bis RRTYPE Allocation for the ENUM Branch Location Record
Next by Date: Re: 2929bis RRTYPE Allocation for the ENUM Branch Location Record
Previous by thread: Re: DNSSEC - Signature Only vs the MX/A issue.
Next by thread: Re: DNSSEC - Signature Only vs the MX/A issue.
Index(es):
- Date
- Thread