At 11:52 AM -0800 11/10/08, Nelson Bolyard wrote: >DNSSEC only attempts to ensure that you get the (a) correct IP address.
s/only/only currently/ You can stick any data you want in the DNS. Currently the most popular data is the A record (IP address) associated with a domain name, but is it quite possible to put other data associated with a domain name in the DNS as well. DNSSEC cryptographically protects any type of DNS data, including assertions that a DNS name is associated with a public key. There are strong pros and strong cons of using the DNS as a reliable public key association mechanism. This has been discussed ad nauseam for over a decade by the people designing the DNS. Here's just one of many problems: there is no way for a browser to know whether the public key data it is getting from the DNS is signed by DNSSEC, much less validated all the way to a trust anchor. Whoopsie. DNS folks often have their religious views even more entrenched than security folks. There is no strong consensus in the DNS community on this topic. Saying "it can be done" is quite different than saying "it should be done". _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
