[kictanet] KENIC is wanting
Michuki Mwangi
michuki at swiftkenya.com
Wed Mar 31 10:12:45 EAT 2010
Hi McTim, et al,
McTim wrote:
> DNSSEC was designed to protect against a limited set of attacks, such
> as DNS cache poisoning, Man in the middle, etc. It provides: a) origin
> authentication of DNS data, b) data integrity, and c) authenticated
> denial of existence. DNSSEC, if implemented, only provides security
> when you ask a question of the DNS database (in this case, Robert's
> browser had asked "what is the IP address of kenic.or.ke?"). It's
> nothing to do with https or CAs, self signed or not. That's a
> completely different layer.
>
DNSSEC aware browsers and resolvers would still be a challenge to end
users. Alot more problems on end user infrastructure from firewalls that
block tcp port 53, limit udp packets to 512 bytes.
Regards,
Michuki.
More information about the KICTANet
mailing list