[dns-operations] DNSSEC in the root, please help me understand

Stephane Bortzmeyer bortzmeyer at nic.fr
Fri Jan 15 11:31:30 UTC 2010

On Fri, Jan 15, 2010 at 01:07:21AM -0800,
 Matthew Dempsky <matthew at dempsky.org> wrote 
 a message of 12 lines which said:

> > So, it [DNSSEC] works (it allows you to detect forgeries) even if
> > you are redirected to the wrong name server.
> Not if the server you're directed to isn't using DNSSEC.  

Not true. If a cracker redirects you to a non-DNSSEC root name server,
the validating resolver, having a trust anchor for the root, will see
there is a problem and will report it. (Same thing for other domains,
with the DS record.)

> ensuring you can reject the wrong data is different from ensuring
> you can accept the right data.

No protocol can protect you against denial-of-service ("preventing you
for getting the right data"). No DNSSEC, but no others.

More information about the dns-operations mailing list