David Ulevitch wrote:
Paul Vixie wrote:
no hop-by-hop solution can address the problem of a MiTM who can see
and/or alter your queries and responses.
If you have a malicious man in the middle, he will do bad things to you.
DNSSEC will not stop that.
Too many pronouns...
DNSSEC provides the ability to determine that a given authoritative
answer is signed (by DS on the delegation from the parent),
and provides cryptographic signatures on such authoritative answers.
The signatures can be chased up to a configured trust anchor, ideally a
signed root.
And without any private key in that chain of trust, he can't change
signed authoritative data without causing validation to fail.
With apologies to Meat Loaf:
A Man in the middle can
bedevil your wits,
He can fiddle with packets,
he can twiddle the bits,
He can easily spoof your
sequence numbers and such,
But he can't spoof sigs,
No he can't do that.
Oh, no,
No, he can't do that.
--
Brian Dickson
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
