nanog mailing list archives

Previous By Date Next
Previous By Thread Next

Re: New addresses for b.root-servers.net

From: Masataka Ohta <mohta () necom830 hpcl titech ac jp>
Date: Tue, 20 Jun 2023 12:08:11 +0900
Matt Corallo wrote:


Note that diginotar was advertised to be operated
with HSMs and four-eyes principle, which means
both of them were proven to be untrustworthy
marketing hypes.


Even more reason to do DNSSEC stapling!


See hypes of HSMs and four-eyes from DNSSEC
operators.
This is totally unrelated to the question at hand. There wasn't a question about whether a user relying on trusted authorities can maybe be whacked by said trusted authorities (though there's been a ton of work in this space, most notably requiring CT these days), 

So, let's recognize ISPs as trusted authorities and
we are reasonably safe without excessive cost to
support DNSSEC with all the untrustworthy hypes of
HSMs and four-eyes principle.
it was purely about whether we can rely on pure "I sent a packet to IP X, did it get to IP X", which *is* solved by DNSSEC. 

That's overkill. See above for the proper solution.

                                                Masataka Ohta
Previous By Date Next
Previous By Thread Next

Current thread: