Re: [TLS] [DNSOP] [saag] [pkix] Cert Enumeration and Key Assurance With DNSSEC

Doug Barton <> Mon, 11 October 2010 04:16 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 3B4B73A68CC for <>; Sun, 10 Oct 2010 21:16:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.433
X-Spam-Status: No, score=-1.433 tagged_above=-999 required=5 tests=[AWL=-0.323, BAYES_05=-1.11]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id tCJ2hL-oIvwF for <>; Sun, 10 Oct 2010 21:16:28 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id CF20C3A6407 for <>; Sun, 10 Oct 2010 21:16:27 -0700 (PDT)
Received: (qmail 1544 invoked by uid 399); 11 Oct 2010 04:10:57 -0000
Received: from localhost (HELO ? ( by localhost with ESMTPAM; 11 Oct 2010 04:10:57 -0000
Message-ID: <>
Date: Sun, 10 Oct 2010 21:11:10 -0700
From: Doug Barton <>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv: Gecko/20100915 Thunderbird/3.1.4
MIME-Version: 1.0
To: der Mouse <mouse@Rodents-Montreal.ORG>
References: <> <> <201010050800.EAA11862@Sparkle.Rodents-Montreal.ORG>
In-Reply-To: <201010050800.EAA11862@Sparkle.Rodents-Montreal.ORG>
X-Enigmail-Version: 1.2a1pre
OpenPGP: id=1A1ABC84
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
X-Mailman-Approved-At: Thu, 14 Oct 2010 15:03:04 -0700
Subject: Re: [TLS] [DNSOP] [saag] [pkix] Cert Enumeration and Key Assurance With DNSSEC
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 11 Oct 2010 04:16:28 -0000

On 10/5/2010 1:00 AM, der Mouse wrote:
> But the original statement was that DNSSEC provides "secure"
> association from name to IP.  This is a stronger property than
> providing secure distribution of name-to-IP mapping information; it
> also implies that the creation of that information and its injection
> into the distribution mechanisms are "secure" (whatever that means - I
> note that none of these say what they are talking about being secure
> against; perhaps I'm just missing context).

Sorry, almost nothing you wrote above is true. The only thing that 
DNSSEC has ever claimed to be able to do is provide a way for the end 
user of the DNS data to prove to herself that the data they received is 
the data that the administrator of the zone wanted them to have. The use 
of the word "security" in the name of the protocol extension was an 
incredibly unfortunate choice because it conveys all of the 
misunderstandings you listed above, and a lot more.



Breadth of IT experience, and    |   Nothin' ever doesn't change,
depth of knowledge in the DNS.   |   but nothin' changes much.
Yours for the right price.  :)   |		-- OK Go