[dns-wg] What about the last mile, was: getting DNSSEC deployed

David Conrad wrote:
> On Feb 16, 2007, at 12:50 PM, Doug Barton wrote:
>> David Conrad wrote:
>>>>     NEW ATTACK TECHNIQUE THREATENS BROADBAND USERS
>>> ...
>>>> As noted, dnssec can protect against spoofed dns info.
>>> Except DNSSEC wouldn't really be applicable.
>> It would apply in the (theoretical) subset of applications that are
>> configured to rely on signed and validated responses, like hopefully
>> windows/osx/mozilla/other software updaters could be configured to do.
> 
> The question is how do they get the information that the data has been 
> signed and the signatures validated.  Since with this attack they'd be 
> going through a compromised server, they lose.  The only way out of that 
> hole is if you run a local validating caching server and have 
> appropriate (out-of-band validated) trust anchors configured and if 
> you're running a local caching server, you're already not susceptible to 
> the attack.
> 
I was thinking similar like home routers could have default 
configuration to use DNSSEC responses, and maybe in the future only DNSSEC.

As about trust anchors, in other security applications we looking now 
closely at the TPM (Trusted Platform Module)/TCG technology that 
provides hardware bound and hardware protected trust anchors.

Yuri