[ksk-rollover] IoT devices and KSK rollover

Paul Wouters paul at nohats.ca
Thu Jun 13 16:14:24 UTC 2019

> On Jun 13, 2019, at 11:54, Fred Baker <fredbaker.ietf at gmail.com> wrote:
>> On Jun 12, 2019, at 6:07 PM, Michael Richardson <mcr at sandelman.ca> wrote:
>> But, if you already have TLS code in the device, then maybe it's cheaper
>> to do this instead of DNSSEC.
> That's apples and orangutans. TLS secures the channel (chain of custody), DNSSEC secures the data regardless of the channel (correctness of the data).

I keep saying this too and correct people every time DoH or DoT is suggested as replacement for DNSSEC.

Browser vendors and DNS firewall vendors aren’t helping by building infrastructure that breaks DNSSEC by design. It’s an attack in the network.


More information about the ksk-rollover mailing list