New addresses for b.root-servers.net
Mark Andrews
marka at isc.org
Wed Jun 21 06:13:04 UTC 2023
Which you can do with DNSSEC but the key management will be enormous.
--
Mark Andrews
> On 21 Jun 2023, at 15:39, Masataka Ohta <mohta at necom830.hpcl.titech.ac.jp> wrote:
>
> Matt Corallo wrote:
>
>>> As PKI, including DNSSEC, is subject to MitM attacks, is
>>> not cryptographically secure, does not provide end to end
>>> security and is not actually workable, why do you bother?
>> It sounds like you think nothing is workable, we simply cannot make anything secure
>
> If an end and another end directly share a secret
> key without involving untrustworthy trusted third
> parties, the ends are secure end to end.
>
>> - if we should give up on WebPKI (and all its faults) and DNSSEC (and all its faults) and RPKI (and all its faults), what do we have left?
>
> An untrustworthy but light weight and inexpensive (or free)
> PKI may worth its price and may be useful to make IP address
> based security a little better.
>
> Masataka Ohta
>
More information about the NANOG
mailing list