[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Secure DNS is just weakly secure
Tony Finch wrote:
DNSSEC reduces the number of possible attacks. In particular, it protects
you from attacks from random third party hackers.
Indeed. This is called end-to-end security. Cryptographically merely
shifts "control". With the DNSSEC use of digital signatures,
cryptography shifts control from the set of DNS distributed components
(e.g. caching nameservers where efficient control means are
unavailable), to just a few, i.e. the registries from the queried DNS
name up to the root (or island of security).
This leaves registry operators as the human link. Obvisouly, the
end-user systems remain as a target of trojan horse attacks and the like.
DNSSEC does provide an intrinsicly valuable information control
mechanism, assuming the zone walking and trust anchor key management
issues are resolved. Whether application use of DNSSEC is justified on a
cost-benefit analysis remains an open question.
Regards,
--
- Thierry Moreau
CONNOTECH Experts-conseils inc.
9130 Place de Montgolfier
Montreal, Qc
Canada H2M 2A1
Tel.: (514)385-5691
Fax: (514)385-5900
web site: http://www.connotech.com
e-mail: thierry.moreau@connotech.com
--
to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/namedroppers/>