On Mon, Sep 22, 2008 at 8:49 AM, Keith Medcalf <kmedcalf@dessus.com> wrote:
If even one delegation is unsigned or even one resolver does not enforce DNSSEC, then, from an actual security perspective, you will be far worse off than you are now.
Why?
If the local resolver does not perform DNSSEC validation, then I cannot validate that the response is correct. I certainly do not trust anyone else to verify that the information is correct and then, without any possible verification, simply believe that the third party did the validation. In fact, I have no way of knowing that the response even came from the "ISP" at all unless the client resolver supports DNSSEC.
Just because YOU check the digital signature on an email and forward that email to me (either with or without the signature data), if I do not have the capability to verify the signature myself, I sure as hell am not going to trust your mere say-so that the signature is valid!
If I cannot authenticate the data myself, then it is simply untrusted and untrustworthy -- exactly the same as it is now.
so I guess PGP web of trust is right out, then? (in the real world, we rarely get boolean values on security questions) -- darkuncle@{gmail.com,darkuncle.net} || 0x5537F527 http://darkuncle.net/pubkey.asc for public key