On 3/17/25 20:18, Willem Toorop wrote:
But many zones are still not DNSSEC signed. Making sure that responses are answered by the correct authoritative name servers (NS revalidation), protects the unsigned zones
The thing is, there is no "making sure". If the referral for an insecure delegation is spoofed, then NS revalidation won't help you, as any serious attacker will set up their fake zones to contain an apex RRset different from the original one. This is actually the main point I've never understood about revalidation. (What definition if "validation" is actually being used here? It's more like a consistency check.) Best, Peter -- https://desec.io/ _______________________________________________ DNSOP mailing list -- dnsop@ietf.org To unsubscribe send an email to dnsop-le...@ietf.org
