Sujet : Re: [LINK] Calling time on DNSSEC?
De : gtaylor (at) *nospam* tnetconsulting.net (Grant Taylor)
Groupes : comp.miscDate : 28. Nov 2024, 06:04:16
Autres entêtes
Organisation : TNet Consulting
Message-ID : <vi8tkg$8ha$1@tncsrv09.home.tnetconsulting.net>
References : 1 2 3
User-Agent : Mozilla Thunderbird
On 11/27/24 02:40, Richard Kettlewell wrote:
It’s not enough. It can secure the name-to-address mapping but does
nothing for the security of any data sent or received.
DNS, without security, doesn't have anything to do with security data sent or received either.
Apples and lug-nuts always have been and always will be completely different things that do completely different things.
That being said, DNSSEC can be used to authenticate keys published with DANE (TLSA records) which can be used to encrypt traffic without the need for traditional public key infrastructure (PKI).
You need TLS (or SSH, or whatever) as well, and those already deal with naming.
None of those actually do / produce the naming. They only use / consume the naming done / produced by something else; DNS or local hosts entries.
So it’s natural to ask why someone would bother with DNSSEC as well, and hardly surprising that mostly the answer is that people don’t.
See my previous response about MVP.
-- Grant. . . .
[LINK] Calling time on DNSSEC?
Re: [LINK] Calling time on DNSSEC?