[dns-operations] DNS trust dependencies for ICANN TLDs

Florian Weimer fw at deneb.enyo.de
Thu Jun 11 14:23:19 UTC 2009

* Francis Dupont:

>  In your previous mail you wrote:
>    I've assembled a collection of graphs of zone and name server trust
>    dependencies for each ICANN TLD at
>        http://shinobi.dempsky.org/~matthew/dnstrust/graphs/
> => BTW do you know an authoritative server and a caching server are
> very different beasts? So cache poisoning is *only* about caching
> servers and does nothing to an authoritative server...

He specifically stated that he assumes he's got full control over an
authoritative server.  It's a different form of attack.  I haven't
tried it, but I suspect it will work (but perhaps not against very
busy resolvers).

(Some forms of glue hardening should help here a bit, too, by the

More information about the dns-operations mailing list