David,
On Aug 20, 2008, at 10:30 AM, David Ulevitch wrote:
Paul Vixie wrote:
no hop-by-hop solution can address the problem of a MiTM who can see
and/or alter your queries and responses.
If you have a malicious man in the middle, he will do bad things to
you.
Yep. Question is, how many opportunities do you want to provide for
MITM attacks?
DNSSEC will not stop that.
The full DNS lookup path is almost always different than the data
content path. As such, it introduces a new MITM attack vector (and a
particularly effective one at that as Kaminsky described). DNSSEC is
intended to protect against that attack vector and does so albeit at
some cost in terms of complexity of software and operations.
Regards,
-drc
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop