| | | | | | | | |
|
|
|
You're here: Home |
Franck Martin wrote:
But the real solution is to digitally sign the data in DNS, and secure the full path between querying client and authoritative server. DNSSEC is today a solution to a large piece of that, but it also have to be deployed.
Admittedly, I'm no DNS expert, but my understanding is that there are still problems with the current DNSSEC implementation.
I worry in particular about the human factors in DNSSEC: determining identity remotely leaves a number of 'social engineering' options open to attackers; user ignorance concerning certificates and signing authorities reduces their value; increased cost of entry for small-scale operators, especially in developing countries with no access to credit cards or other online payment methods.
Can someone with more detailed knowledge than I have comment on these issues, please?
-- Dan McGarry
