Hi Willem,
On 3/17/25 23:16, Willem Toorop wrote:
- For signed delegations, NS revalidation protects the privacy of the actual
query.
And in addition to that prevents all unsigned parts of the hijacked zone to be
rewritten. For example if com is hijacked, unsigned zones like google.com can
be redirected.
First, .com is signed, so I'm not sure how you'd hijack it as a whole.
Second, let's say I run a proxy between the .com server and your resolver, and
I manipulate unsigned delegations, but forward everything else (so that things
expected to DNSSEC-validate do actually validate). For my fake unsigned
delegations, I make sure that my nameservers serve the same fake NS RRsets on
the child apex. -- If your resolve now does NS re-validation, how does that
prevent me from rewriting those unsigned delegations?
NS revalidation of signed delegations is the only mitigation that protects
against on-path or partly on-path attacks.
Given the above, I just don't understand that. I hope I'll see the light! :-)
Cheers,
Peter
--
https://desec.io/
_______________________________________________
DNSOP mailing list -- dnsop@ietf.org
To unsubscribe send an email to dnsop-le...@ietf.org
