[dns-operations] DNSSEC in the root, please help me understand

Matthew Dempsky matthew at dempsky.org
Fri Jan 15 09:07:21 UTC 2010

On Fri, Jan 15, 2010 at 12:48 AM, Stephane Bortzmeyer <bortzmeyer at nic.fr> wrote:
> IMHO, it is not necessary: DNSSEC secures the data, not the channel
> (unlike TSIG or DNScurve). So, it works (it allows you to detect
> forgeries) even if you are redirected to the wrong name server.

Not if the server you're directed to isn't using DNSSEC.  Also,
ensuring you can reject the wrong data is different from ensuring you
can accept the right data.

More information about the dns-operations mailing list