[ksk-rollover] IoT devices and KSK rollover
Paul Wouters
paul at nohats.ca
Thu Jun 13 16:14:24 UTC 2019
> On Jun 13, 2019, at 11:54, Fred Baker <fredbaker.ietf at gmail.com> wrote:
>
>> On Jun 12, 2019, at 6:07 PM, Michael Richardson <mcr at sandelman.ca> wrote:
>> But, if you already have TLS code in the device, then maybe it's cheaper
>> to do this instead of DNSSEC.
>
> That's apples and orangutans. TLS secures the channel (chain of custody), DNSSEC secures the data regardless of the channel (correctness of the data).
I keep saying this too and correct people every time DoH or DoT is suggested as replacement for DNSSEC.
Browser vendors and DNS firewall vendors aren’t helping by building infrastructure that breaks DNSSEC by design. It’s an attack in the network.
Paul
More information about the ksk-rollover
mailing list