North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: hat tip to .gov hostmasters
On Mon, Sep 22, 2008 at 8:49 AM, Keith Medcalf <[email protected]> wrote: >> > If even one delegation is unsigned or even one resolver does not >> > enforce DNSSEC, then, from an actual security perspective, you will >> > be far worse off than you are now. > >> Why? > > If the local resolver does not perform DNSSEC validation, then I cannot validate that the response is correct. > I certainly do not trust anyone else to verify that the information is correct and then, without any possible verification, > simply believe that the third party did the validation. In fact, I have no way of knowing that the response even came > from the "ISP" at all unless the client resolver supports DNSSEC. > > Just because YOU check the digital signature on an email and forward that email to me (either with or without the > signature data), if I do not have the capability to verify the signature myself, I sure as hell am not going to trust your > mere say-so that the signature is valid! > > If I cannot authenticate the data myself, then it is simply untrusted and untrustworthy -- exactly the same as it is now. so I guess PGP web of trust is right out, then? (in the real world, we rarely get boolean values on security questions) -- [email protected]{gmail.com,darkuncle.net} || 0x5537F527 http://darkuncle.net/pubkey.asc for public key
|