[108005] in North American Network Operators' Group
Re: hat tip to .gov hostmasters
daemon@ATHENA.MIT.EDU (Scott Francis)
Mon Sep 22 11:54:40 2008
Date: Mon, 22 Sep 2008 08:54:16 -0700
From: "Scott Francis" <darkuncle@gmail.com>
To: "NANOG list" <nanog@nanog.org>
In-Reply-To: <81434005e9f40a458bb39ab7d95910c1@mail.dessus.com>
Errors-To: nanog-bounces@nanog.org
On Mon, Sep 22, 2008 at 8:49 AM, Keith Medcalf <kmedcalf@dessus.com> wrote:
>> > If even one delegation is unsigned or even one resolver does not
>> > enforce DNSSEC, then, from an actual security perspective, you will
>> > be far worse off than you are now.
>
>> Why?
>
> If the local resolver does not perform DNSSEC validation, then I cannot validate that the response is correct.
> I certainly do not trust anyone else to verify that the information is correct and then, without any possible verification,
> simply believe that the third party did the validation. In fact, I have no way of knowing that the response even came
> from the "ISP" at all unless the client resolver supports DNSSEC.
>
> Just because YOU check the digital signature on an email and forward that email to me (either with or without the
> signature data), if I do not have the capability to verify the signature myself, I sure as hell am not going to trust your
> mere say-so that the signature is valid!
>
> If I cannot authenticate the data myself, then it is simply untrusted and untrustworthy -- exactly the same as it is now.
so I guess PGP web of trust is right out, then?
(in the real world, we rarely get boolean values on security questions)
--
darkuncle@{gmail.com,darkuncle.net} || 0x5537F527
http://darkuncle.net/pubkey.asc for public key
