[dns-operations] DNSSEC in the root, please help me understand

Stephane Bortzmeyer bortzmeyer at nic.fr
Fri Jan 15 08:48:00 UTC 2010


On Fri, Jan 15, 2010 at 09:38:54AM +0100,
 Marco Davids <marco.davids at sidn.nl> wrote 
 a message of 21 lines which said:

> How usefull is that, if the zones 'net.', 'gtld-servers.net.' and
> 'ROOT-SERVERS.NET.' won't be signed as well?

IMHO, it is not necessary: DNSSEC secures the data, not the channel
(unlike TSIG or DNScurve). So, it works (it allows you to detect
forgeries) even if you are redirected to the wrong name server.



More information about the dns-operations mailing list