Paul Wouters wrote:
You claim DNS can be secured if we somehow securely know all the IPs
of all nameservers of parent zones, for which the only source is DNS.
How do you propose to fulfill your own stated requirement without
DNSSEC?
Securely configuring IP addresses of root servers, which can
recursively assure data origin security of child servers, is
as easy/difficult as securely configuring root certificates.
So?
Are you saying connecting to an IP address secured by DNSSEC is
safe even under BGP attacks?
Yes. Obviously the attacker can deny the actual real DNS content but
sending their own made up DNS data is ignored due to data origin
protection.
Wrong.
With BGP attacks, your packet with an DNSSEC secured destination IP
address is delivered elsewhere.
Please refrain from ad hominem attacks if you wish to continue to
discuss.
I'm afraid it is you who want to discontinue discussion.
Country X legally forcing people to install government provided
root certificates can freely spoof PKI, including DNSSEC, data of
country Y.
No they cannot. I can give you root access to a nameserver for
nohats.ca and you still can't create a "proof.nohats.ca"
It is trivially easy with root zone certificate recognized by
end users to forge RRs of "nohats.ca" and "proof.nohats.ca".
If you only handwave your claims,
I'm afraid it is you who is handwaving with such unfounded
statement:
it just
indicates that the value of deploying DNSSEC is often considered
lower than the cost.
Masataka Ohta
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
