On Thu, Sep 05, 2013 at 02:54:18PM -0700, Paul Vixie <p...@redbarn.org> wrote a message of 68 lines which said:
> Florian Weimer wrote: > > > > Because DNSSEC does not prevent cache poisoning, it only detects it. > > i do not understand this statement. The way I understand it: with Kaminsky and/or Shulman, you can still poison a DNS cache. The downstream validating resolver will detect it and send back SERVFAIL to the end user. But this end user won't be able to connect to his/her bank. So, DNSSEC turned the poisoning attack from a hijacking attack to a DoS. Now, the question is: "for an attacker, is it the simplest way to do a DoS?" IMHO, no, so I'm not too worried about it and I still believe in DNSSEC. _______________________________________________ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
