In message <564be747.40...@tnetconsulting.net>, Grant Taylor writes: > On 11/17/2015 03:22 PM, Mark Andrews wrote: > > Given the root zone is signed and most of the TLD's are also signed > > there is little a rogue operator can do besides causing a DoS if > > you validate the returned answers. > > This quite from Twitter seems appropriate: DNSSEC only protects you > from getting bad answers. If someone wants you to get no answers at all > then DNSSEC cannot help.
As I said. It doesn't protect you from a Denial of Service. > I think it would be possible for a rogue operator to completely hide > DNSSEC related records (NODATA) and revert to pre-DNSSEC DNS. Thus it > would then be possible to do some nefarious things. > > I think the only thing that would help thwart this type of behavior is > for clients to do DNSSEC validation themselves. (It's my understanding > that most do not.) If your recursive server is validating then you are protected from a rogue root server. If your application is validating then you are protected from a rogue root server and a rogue recursive server. Mark > -- > Grant. . . . > unix || die > _______________________________________________ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe > from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
