On Mar 21, 2022, at 1:01 AM, Masataka Ohta <mo...@necom830.hpcl.titech.ac.jp> wrote: > Paul Wouters wrote: > >>> Constructive thing to do to make DNS secure is to totally >>> abandon DNSSEC and rely on DNS cookie or something like that. > >> DNS cookies provide no data origin security, only a weak transport >> security against non-onpath attackers. > > If a resolver correctly knows an IP address of a nameserver of a > parent zone and the resolver and the nameserver can communicate > with long enough ID, the resolver can correctly know an IP > address of a nameserver of a child zone, which is secure enough > data origin security.
No. https://therecord.media/klayswap-crypto-users-lose-funds-after-bgp-hijack/ <https://therecord.media/klayswap-crypto-users-lose-funds-after-bgp-hijack/> https://www.theregister.com/2018/04/24/myetherwallet_dns_hijack/ <https://www.theregister.com/2018/04/24/myetherwallet_dns_hijack/> Etc. Securing the channel of communication != securing the data communicated via that channel. Regards, -drc
signature.asc
Description: Message signed with OpenPGP
_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop