Paul Wouters wrote:
Instead, MitM attack on DNSSEC is performed, for example, within
intermediate zones with forged signature on child zone with forged
end-users data.
Oh I see. DNSSEC is broken because we cannot trust RSA, DSA, SHA256,
DiffieHellman, and perhaps eliptic curve....
That is certainly a valid argument.
However, it has nothingn to do with the MitM case above because
forged signature from a compromized zone is cryptographically valid.
Masataka Ohta
_______________________________________________
DNSOP mailing list
DNSOP at ietf.org
https://www.ietf.org/mailman/listinfo/dnsop