To:
bert hubert <ahu@ds9a.nl>, dnsop@cafax.se
From:
Miek Gieben <miekg@atoom.net>
Date:
Thu, 20 Mar 2003 14:12:22 +0100
Content-Disposition:
inline
In-Reply-To:
<20030320125458.GA19535@outpost.ds9a.nl>
Mail-Followup-To:
bert hubert <ahu@ds9a.nl>, dnsop@cafax.se
Sender:
owner-dnsop@cafax.se
User-Agent:
Vim/Mutt/Linux
Subject:
Re: secondary behavior with DNSSEC
[On 20 Mar, @13:54, bert wrote in "Re: secondary behavior with DN ..."] > On Thu, Mar 20, 2003 at 10:48:46AM +0100, Miek Gieben wrote: > > > This difference with DNS is obvious, with DNS a secondary that was not up to > > date was bad, but it was still sort of usable. With DNSSEC a secondary that is > > longer out of date than the signature lifetime is disastrous - it causes the > > local removal of a TLD (in this case). > > I also see interesting DoS possibilities here - DNSSEC does not offer any > additional protection against spoofing, except that cached answers will be > recognized as being spoofed, but only by DNSSEC aware clients and not by > generic recursors. > > So by spoofing in a badly signed NL NS record, the TLD vanishes for all > secure clients of that poisoned recursor. This is already known, if a secure resolver sits behind a non-secure recursor you'r on your own. grtz Miek -- :wq! #---------------------------------------------------------------------- # To unsubscribe, send a message to <dnsop-request@cafax.se>.