On Mon, Sep 22, 2008 at 8:49 AM, Keith Medcalf <[EMAIL PROTECTED]> wrote:
>> > If even one delegation is unsigned or even one resolver does not >> > enforce DNSSEC, then, from an actual security perspective, you will >> > be far worse off than you are now. > >> Why? > > If the local resolver does not perform DNSSEC validation, then I cannot > validate that the response is correct. > I certainly do not trust anyone else to verify that the information is > correct and then, without any possible verification, > simply believe that the third party did the validation. In fact, I have no > way of knowing that the response even came > from the "ISP" at all unless the client resolver supports DNSSEC. > > Just because YOU check the digital signature on an email and forward that > email to me (either with or without the > signature data), if I do not have the capability to verify the signature > myself, I sure as hell am not going to trust your > mere say-so that the signature is valid! > > If I cannot authenticate the data myself, then it is simply untrusted and > untrustworthy -- exactly the same as it is now. so I guess PGP web of trust is right out, then? (in the real world, we rarely get boolean values on security questions) -- [EMAIL PROTECTED],darkuncle.net} || 0x5537F527 http://darkuncle.net/pubkey.asc for public key