* Mark Andrews: > In message <20130906074928.ga19...@nic.fr>, Stephane Bortzmeyer writes: >> The way I understand it: with Kaminsky and/or Shulman, you can still >> poison a DNS cache. The downstream validating resolver will detect it >> and send back SERVFAIL to the end user. But this end user won't be >> able to connect to his/her bank. > > Well if you only half deploy DNSSEC this will happen.
Well, there aren't any plans to sign ROOT-SERVERS.NET, are there? So even a hypothetical resolver that avoids long-term caching of bad, DNSSEC-signed data will still go belly-up if it ever learns incorrect address information for the root zone. Now you can special-case ROOT-SERVERS.NET, but it's quite common to host the name servers in unsigned zones (GTLD-SERVERS.NET, NSTLD.COM, GOV-SERVERS.NET, GTLD.BIZ, and so on). > Proper deployment of DNSSEC requires that the cache does validation. Well, I guess that's progress. :-) _______________________________________________ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
