[dnssec-deployment] Fwd: [IP] Good Always Comes Out of Bad

[Paul Vixie]

> > dismaying that if there were a business case, then registrar authorization
> > and security is so weak at present that DNSSEC would be a joke if deployed.
> 
> The registrar, or their webgui security, is not involved in me using DNSSEC
> while on starbucks open wifi sitting next to a bad guy drinking my coffee.
> 
> So, not a joke at all. The big difference here is the targetted vs the
> untargetted/local attacks.

it will make a difference to you sitting in starbucks if turkish hackers take
over your bank's registrar account and redirect the NS RRset and DS RRset to
servers and keys they (the turkish hackers) control.  yes, you will ultimately
be able to seek compensation from your bank (who would be called incompetent
by a civil jury or judge) but in the meantime you'll be out the money.  and
if the victim of the attack isn't a regulated entity like a bank, but rather
some e-commerce site or some corporate partner of yours, you might never have
any recourse over whatever information you expose when the victim's registrar
account is hacked by the turks (or the russians or chinese or americans.)