New addresses for b.root-servers.net

• Previous message (by thread): New addresses for b.root-servers.net
• Next message (by thread): New addresses for b.root-servers.net
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Matt Corallo wrote:

>> Note that diginotar was advertised to be operated
>> with HSMs and four-eyes principle, which means
>> both of them were proven to be untrustworthy
>> marketing hypes.
> 
> Even more reason to do DNSSEC stapling!

See hypes of HSMs and four-eyes from DNSSEC
operators.

> This is totally unrelated to the question at hand. There wasn't a 
> question about whether a user relying on trusted authorities can maybe 
> be whacked by said trusted authorities (though there's been a ton of 
> work in this space, most notably requiring CT these days),

So, let's recognize ISPs as trusted authorities and
we are reasonably safe without excessive cost to
support DNSSEC with all the untrustworthy hypes of
HSMs and four-eyes principle.

> it was purely 
> about whether we can rely on pure "I sent a packet to IP X, did it get 
> to IP X", which *is* solved by DNSSEC.

That's overkill. See above for the proper solution.

						Masataka Ohta

• Previous message (by thread): New addresses for b.root-servers.net
• Next message (by thread): New addresses for b.root-servers.net
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]