Mark Andrews wrote:
>>Thus, we must, anyway, protect cache.
>>
>>Then, where is the point to introduce DNSSEC only to have another
>>possibility of security holes?
> We still lock doors and windows despite the possiblity of people
> breaking in by lifting tiles.
I'm afraid DNSSEC people have been arguing against SCTP saying
DNSSEC is good enough.
Worse, though I have been warning for these 15 years that cached
glue may be used only for glue with same refferal, a broken
concept of bailiwick was introduced only to enable so called
Kaminsky attack.
> Attacks at the registry level are the
> equivalient of lifting tiles. It happens sometimes.
Protection of DNSSEC at the registy level is equivalent
to protection against lifting tiles. Not practical at all.
> Locking the doors and windows stops most attacks however.
Then, let's lock the doors and windows first, before working on
DNSSEC.
Masataka Ohta
_______________________________________________
Ietf mailing list
Ietf@ietf.org
https://www.ietf.org/mailman/listinfo/ietf
