* Paul Vixie: > how much more money, brains, and time are we going to collectively waste > on dns (so, a WOMBAT) to solve the problems dnssec solves, rather than > just deploying dnssec?
Because DNSSEC does not prevent cache poisoning, it only detects it. Once your cache is poisoned, it is difficult to continue. I doubt many resolvers can tell a successful cache poisoning attack from a plain old mis-signed zone or other DNSSEC mishap. Unbound tries to do better, but the protocol makes that ridiculously difficult because it's so hard to obtain signatures of the name servers you want to query. In retrospect, not signing delegations and glue was a huge mistake. _______________________________________________ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
