On Sat, 7 Sep 2013, Florian Weimer wrote:
Well, there aren't any plans to sign ROOT-SERVERS.NET, are there?
Why sign that when you have the DNSKEY via the DS anyway. You shouldn't care which IP answers and whether they can spoof it. If one IP fails, try another. If the attacker can rewrite all of that, you should probably not be on that network.
So even a hypothetical resolver that avoids long-term caching of bad, DNSSEC-signed data will still go belly-up if it ever learns incorrect address information for the root zone. Now you can special-case ROOT-SERVERS.NET, but it's quite common to host the name servers in unsigned zones (GTLD-SERVERS.NET, NSTLD.COM, GOV-SERVERS.NET, GTLD.BIZ, and so on).
If they can do all of that, they can also just send TCP RST packets. What _are_ you doing on such a network? Paul _______________________________________________ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
