> On Aug 15, 2008, at 8:10 AM, Paul Wouters wrote: > > Whether > > I get a fake CNN.com page is much less important to me then whether > > my nfs > > or mail server can be access by something > > I'm not sure how relevant this is to the discussion, but I'll answer > the question anyway. I don't use NFS because (a) it doesn't work very > well in cross-platform environments and (b) its security model is "I > am the gooey center that your firewall must protect." And I pay > about $100/year to use SSL certs to protect all my IMAP, POP, SMTP and > HTTP transactions. And I use ssh for remote login, which if it is > working correctly and not vulnerable to some zero-day hack should > prevent MitM attacks from succceeding. > > I don't see DNSSEC as being necessary to protect those protocols.
Most people talk to 1 IMAP server. Most people talk to 1 POP server. Most people talk to 1 SMTP *submission* server. There are no scaling issues to deal with here even using private certificates. You also know the name of the ssl certificate you are looking for. For SMTP, MTA to MTA security, you need DNSSEC to validate the MX RRset so you can know which SSL cert to check for. > Once I succeed in talking to my server, I'm probably really talking to > my server. What I want DNSSEC for is to block the potential phishing > attacks we've talked about. Securing my zones, and adding a signed > zone in .se, are all steps on the way to that result. DNSSEC cannot prevent phishing attacks (name *similar* to target name). > But until we have root and .com signed, and until the average end-user > is protected by a validating resolver, we aren't done yet, and I don't > really get any actual benefit from my efforts. Which, tragically, is > why it's taking so long. > > The reason I signed these zones is because I'm trying to increase the > net expertise in the world at doing these things by one head (mine) > and hoping to inspire others to follow suit. The more of us non- > DNSSEC-experts who decide they want DNSSEC and take the time to learn > how to make it happen, the sooner it will actually happen, because we > are the ones who will actually make it happen. > > _______________________________________________ > DNSOP mailing list > DNSOP@ietf.org > https://www.ietf.org/mailman/listinfo/dnsop -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: [EMAIL PROTECTED] _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop