On Wed, Jan 04, 2017 at 10:28:11AM -0800, Nicholas Weaver wrote: > An attacker in that position can just put in garbage, and you get > SERVFAIL instead of NXDOMAIN, regardless of whether the attacker has > compromised the key or not.
A SERVFAIL is an erroneous condtion. An NXDOMAIN is not - it is business
as usual. SERVFAILs are sometimes cached very temporarily to reduce load
on upstream servers, but they are not answers. NXDOMAINs are cached as
*answers* from the remote auth server.
On-path disruption is impossible to defeat. An on-path attacker who
wants to poison answers without raising suspicions (logged validation
failures) will want validation to succeed.
Mukund
signature.asc
Description: PGP signature
_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
