On 18/03/2025 14.23, Philip Homburg wrote:
Unbound contains a significant amount of processing to try to protect unsigned zones.
We also have lots of such code. And still we're hearing people wanting more and more. I personally think we have enough at this point already, and for people wanting more there's DNSSEC. (Not just revalidation, but security research papers quite regularly try to misuse cache poisoning and propose some more patches to the inherently insecure things.)
As noted, these measures we have also help mitigate that privacy risk uncovered by DNSSEC - where successful attacks can be used to redirect DNS traffic and extend that into the whole subtree, basically an off-path attacker making themselves on-path for DNS.
_______________________________________________ DNSOP mailing list -- dnsop@ietf.org To unsubscribe send an email to dnsop-le...@ietf.org
