Given the behaviour of unknown algorithm, if the anycast node signs with an algoritm they can guarantee you don't understand, how did you know DNSSEC was turned off silently?
ie, downgrade silent response means that an anycast node can mask changes to the root, because you won't know DNSSEC was disabled. (happy to be shown this can't happen btw. its the risk I worry about) On Mon, Nov 10, 2014 at 10:48 AM, John R Levine <jo...@taugh.com> wrote: > This happens in China (on CERNET I believe): there are a set of root >>> mirrors that hijack most (but not all) of the root IPs. As far as we >>> can tell, the servers are legitimate, returning the proper responses, >>> except that the mirror servers don't support DNSSEC. >>> >> >> Those are unusual meanings for "legitimate" and "proper responses"! >> > > Given the extensive use of anycast, these days one has only the vaguest > idea of who's answering any particular query. But if DNSSEC says it's > good, why do you care? > > Regards, > John Levine, jo...@taugh.com, Taughannock Networks, Trumansburg NY > Please consider the environment before reading this e-mail. > > _______________________________________________ > DNSOP mailing list > DNSOP@ietf.org > https://www.ietf.org/mailman/listinfo/dnsop >
_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
