Hosnieh Rafiee wrote: > I have gathered some vulnerabilities in the current DNS security approaches > such as DNSSEC and etc. We think it is useful to have a survey of existing > vulnerabilities or any new vulnerabilities so that we can address those > issues in other standard RFC.
Another security problem is caused by a fundamental fallacy of PKI that CAs were trusted third parties. If a zone administrator is legally forced to disclose secret key of the zone or forge a certificate for a child zone of the zone, the zone is not secure at all. Thanks to Snowden,I can safely state such enforcement plausible without being called a paranoia. The problem can be avoided if we modify DNSSEC require multiple signatures from multiple organizations in several countries such as Russia, China etc. at least for root and TLD zones. Masataka Ohta _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop