>
> Davey - if there is a pervasive/omnipresent man-in-the-middle attacker,
> then no security protocol (DNSSEC, TLS, HTTPS or any other) can
> _prevent_ the attack. All they can do is to _detect_ that an attack is
> taking
> place (and probably abort).
>
> Shumon.
>
Fair enough.
Davey
>
___
On Tue, Apr 28, 2020 at 11:22 AM Paul Wouters wrote:
> On Tue, 28 Apr 2020, Davey Song wrote:
>
> > OK. It make sense to try every name servers to defend the case if the
> adversary only intercept one path. But the adversary also know the resolver
> will
> > retry other servers. So a smarter adve
On Tue, 28 Apr 2020, Davey Song wrote:
OK. It make sense to try every name servers to defend the case if the adversary
only intercept one path. But the adversary also know the resolver will
retry other servers. So a smarter adversary may intercept in the aggregated
upstreaming path where all q
That language could probably use some clarification. I would interpret
> "if .. none of the RRSIGs can be validated" as "if .. none of the RRSIGs
> can be validated from _any_ of the authority servers". In practice, every
> validating resolver I'm familiar with will retry other servers upon
> signa
On Tue, Apr 28, 2020 at 9:48 AM Davey Song wrote:
>
> I think you mean if you receive a BOGUS validation result (eg missing
>> RRSIG records, or otherwise are not getting the records needed for proof
>> of non-existance or signatures. In that case, I think the existing
>> DNS protocol already tel
> I think you mean if you receive a BOGUS validation result (eg missing
> RRSIG records, or otherwise are not getting the records needed for proof
> of non-existance or signatures. In that case, I think the existing
> DNS protocol already tells you to try other servers?
>
According to RFC4035 sect
On Tue, 28 Apr 2020, Davey Song wrote:
As far as I know, in DNSSEC the validating resolver is able to identify a Bad
response if signatures do not validate. But it unable to retrieve the good
one for stub resolver if there are other alternatives.
I think you mean if you receive a BOGUS valid
Hi folks,
As far as I know, in DNSSEC the validating resolver is able to identify a
Bad response if signatures do not validate. But it unable to retrieve the
good one for stub resolver if there are other alternatives.
I'm thinking about a draft proposal if signatures do not validate, the
validati
