hat tip to .gov hostmasters

Scott Francis darkuncle at gmail.com
Mon Sep 22 10:54:16 CDT 2008

On Mon, Sep 22, 2008 at 8:49 AM, Keith Medcalf <kmedcalf at dessus.com> wrote:

>> > If even one delegation is unsigned or even one resolver does not
>> > enforce DNSSEC, then, from an actual security perspective, you will
>> > be far worse off than you are now.
>> Why?
> If the local resolver does not perform DNSSEC validation, then I cannot validate that the response is correct.
> I certainly do not trust anyone else to verify that the information is correct and then, without any possible verification,
> simply believe that the third party did the validation.  In fact, I have no way of knowing that the response even came
> from the "ISP" at all unless the client resolver supports DNSSEC.
> Just because YOU check the digital signature on an email and forward that email to me (either with or without the
> signature data), if I do not have the capability to verify the signature myself, I sure as hell am not going to trust your
> mere say-so that the signature is valid!
> If I cannot authenticate the data myself, then it is simply untrusted and untrustworthy -- exactly the same as it is now.

so I guess PGP web of trust is right out, then?

(in the real world, we rarely get boolean values on security questions)
[email protected]{gmail.com,darkuncle.net} || 0x5537F527
 http://darkuncle.net/pubkey.asc for public key

More information about the NANOG mailing list