> George Michaelson <mailto:g...@algebras.org> > Monday, November 10, 2014 1:02 PM > Given the behaviour of unknown algorithm, if the anycast node signs > with an algoritm they can guarantee you don't understand, how did you > know DNSSEC was turned off silently? > > ie, downgrade silent response means that an anycast node can mask > changes to the root, because you won't know DNSSEC was disabled. > > (happy to be shown this can't happen btw. its the risk I worry about)
what would we like to have happen in this case? bind9 has a must-be-secure option that would transform this into total darkness. some users would rather be in total darkness when their root service has been intercepted by non-trusted party. others would rather just go on as before. of course, this risk exists today, but at smaller scale because very few people deliberately advertise root name service prefixes. it's worth carefully enumerating the desired behaviour, both in case this proposal goes through, and, even if it doesn't and we keep the status quo. -- Paul Vixie
_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
