[dns-operations] DNSSEC in the root, please help me understand
Stephane Bortzmeyer
bortzmeyer at nic.fr
Fri Jan 15 11:31:30 UTC 2010
On Fri, Jan 15, 2010 at 01:07:21AM -0800,
Matthew Dempsky <matthew at dempsky.org> wrote
a message of 12 lines which said:
> > So, it [DNSSEC] works (it allows you to detect forgeries) even if
> > you are redirected to the wrong name server.
>
> Not if the server you're directed to isn't using DNSSEC.
Not true. If a cracker redirects you to a non-DNSSEC root name server,
the validating resolver, having a trust anchor for the root, will see
there is a problem and will report it. (Same thing for other domains,
with the DS record.)
> ensuring you can reject the wrong data is different from ensuring
> you can accept the right data.
No protocol can protect you against denial-of-service ("preventing you
for getting the right data"). No DNSSEC, but no others.
More information about the dns-operations
mailing list