On Wed, 28 Aug 2013, Nicholas Weaver wrote:
How does the following policy strike people for DNSSEC recursive resolvers
which perform validation:
Keep all seen DS and PARENT NS+glue RRSETs in a much-longer-than-normal (2 day
timeout) cache.
When the DS or parent NS+glue RRSET changes, record that change (but still note
the old version) in the cache.
If the other one changes, mark that domain as bogus until either 2 days pass
from the first change OR one or the other changes back to the older value.
Sounds like certificate pinning or CT-DNSSEC. It has the same problems.
There will be more false positives then actual attacks, and people will
disable it.
Paul
_______________________________________________
DNSOP mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dnsop
