Brian Dickson wrote:
If a resolver correctly knows an IP address of a nameserver of a
parent zone
The statement is not more demanding for resolvers to be configured
with correct certificates.
I'm presuming you mean "DNSSEC ICANN/IANA Root Trust Anchor", which is a
public key, not a certificate per se.
OK.
I presume you're comparing two models, one using DNSSEC, and one where no
DNSSEC validation is done ever (replaced with TLS,
No, TLS is overkill. Plain DNS with long enough message ID is
secure enough. Though it is vulnerable to active MitM attacks,
where packets are not only spoofed but also dropped, modified
and/or generated, such attacks are as likely/unlikely as
having a fake root trust anchor through social attacks
(including legal order by some government).
As for DoS, IMO, anycast is the only practical protection.
Masataka Ohta
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
